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ELECTRIC GRID SECURITY 


TUESDAY, JULY 17, 2012 

U.S. Senate, 

Committee on Energy and Natural Resources, 

Washington, DC. 

The committee met, pursuant to notice, at 10 a.m. in room SD- 
366, Dirksen Senate Office Building, Hon. Jeff Bingaman, chair- 
man, presiding. 

OPENING STATEMENT OF HON. JEFF BINGAMAN, U.S. 

SENATOR FROM NEW MEXICO 

The Chairman. OK. Why don’t we go ahead and get started? 

I am advised that Senator Murkowski is on her way, but urged 
us to proceed. This morning’s hearing is to examine the status of 
actions taken by the Federal Energy Regulatory Commission or 
FERC, and the North American Electric Reliability Corporation or 
NERC, and the States to protect the electric grid from computer at- 
tacks on their facilities and control systems. 

I don’t think we need to talk much about the serious nature of 
this issue. Last week, we experienced a week-long outage in much 
of this region. It was a weather-related outage, but it demonstrates 
how important reliable service on the electric grid is. 

We read every day of newly discovered attacks or threats on com- 
puter systems in this country and around the world. According to 
the Director of National Intelligence, there’s been a dramatic in- 
crease in the frequency of malicious cyber activity, targeting U.S. 
computers and networks, including a more than tripling of the vol- 
ume of malicious software, since 2009. So, the threat is real, and 
it is serious. 

In 2005, we gave FERC the authority to name an entity to de- 
velop and enforce standards to protect the reliability of the grid. I 
believe that there are two things that we can say about the system 
that has emerged since then. 

First, the current reliability system does have a mandatory char- 
acter, so the electric grid is the only critical infrastructure in this 
country that has some form of an enforceable standard for 
cybersecurity. 

Second, the current reliability system that has emerged is cum- 
bersome and overly complicated. This may be adequate to deal with 
reliability concerns like, standards for trimming trees so that they 
do not fall on transmission lines, but when it comes to cyber at- 
tacks, I am concerned that the current system is not adequate. 

The process to develop standards started in earnest in 2006 
when NERC filed a series of reliability standards with NERC; a 

( 1 ) 
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number of them related to cybersecurity and FERC found them 
wanting. In a series of filings since then, NERC has corrected some 
of the shortcomings that the FERC highlighted. 

As recently as April, version 4 of the cyber standards was ap- 
proved, with the provision that NERC address the remaining inad- 
equacies by the end of the first quarter of next year. That means 
that we are here today in this committee, 7 years after we passed 
the law, and we are still waiting for this process to produce the full 
set of adequately protective standards that we need. That cum- 
bersome process has to address a threat, whose nature is rapidly 
changing. The standards that are in place may not be flexible 
enough to deal with emerging threats, and we still do not have an 
effective system in place to require action in the face of an immi- 
nent cyber attack. 

NERC has developed a system of alerts to help the industry with 
newly discovered threats. I will have some questions about that 
system, how that system is working in practice. 

The concerns that have prompted this hearing are ones that have 
resulted in bipartisan cybersecurity legislation that we have re- 
ported from this committee, both this Congress and in the last Con- 
gress. In 2010, Senator Murkowski and I agreed on an expedited 
approach to cybersecurity standards that was centered at FERC 
and that passed the committee unanimously. That bill was hotlined 
for passage in the Senate at the end of the last Congress. It ran 
into holes from two of our colleagues and, perhaps, more. 

Last year. Senator Murkowski and I reworked the proposal into 
one that featured a greater role for NERC, but allowed FERC to 
set effective deadlines for action and also gave the Secretary of En- 
ergy emergency cybersecurity authority. Once again, that bill 
passed this committee unanimously. 

I don’t believe that the cyber threat facing the electric grid has 
gotten any less serious since last year, when we acted on a bipar- 
tisan basis to pass our legislation out of the committee. 

In the testimony for today’s hearing, there are suggestions that 
there are additional cyber issues that also need focused attention, 
particularly with respect to the implementation of smart grid tech- 
nologies. We need to address these vulnerabilities that are clearly 
before us. The bill that passed this committee unanimously would 
be an excellent place to start. It did a good job of balancing the 
need to avail ourselves of the expertise in industry on these issues, 
with the need to act expeditiously. Nothing since then has changed 
the need for clear authority to deal with immediate emergencies 
and longer-term vulnerabilities. 

As we all agreed last year, processes that take years to bear 
fruit, may be sufficient for less urgent reliability issues, but not for 
the challenges we face in cybersecurity. So, I look forward to hear- 
ing from the witnesses. 

Let me defer to Senator Murkowski for any opening statements 
she would like to make. 

STATEMENT OF HON. LISA MURKOWSKI, U.S. SENATOR 
FROM ALASKA 

Senator Murkowski. Thank you, Mr. Chairman. Welcome, to all 
the witnesses this morning. I appreciate the hearing today. 
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Of course, the purpose of this morning’s hearing is to take an- 
other — and, perhaps, a closer — look at the ongoing efforts to protect 
our Nation’s grid from cyher attacks. I do think it is important that 
we recognize the tremendous amount of work that has already gone 
into safeguarding the grid’s reliability. 

Back in 2005, Congress directed FERC to select an electric reli- 
ability organization, now known as the NERC, and tasked it with 
establishing and enforcing mandatory reliability standards, includ- 
ing cyber standards. 

I think it has been a difficult, time-consuming process, but I 
would like to commend NERC for the professional and balanced 
way that it has consistently met its responsibilities. 

There is no question, Mr. Chairman, as you point out, that 
cybersecurity is an absolutely critical issue. It should be addressed 
by this Congress. I am certain that every member of this body is 
concerned that our Nation may be vulnerable to cyber attacks that 
could have severe economic and security ramifications. 

We see stories about this just about every day, on individuals, on 
companies, on the Government — these cyber incursions. It is time 
for us to take steps to protect ourselves from a very real and 
emerging threat. 

Last year, as you point out, Mr. Chairman, the Energy Com- 
mittee did report out a sector-specific cybersecurity bill. This action 
was taken in response to the majority leader’s directive to the var- 
ious committees with cyber jurisdiction to produce their own bills. 
At which point, they would all be stitched together into a single 
piece of cybersecurity legislation. 

I think, Mr. Chairman, that the Energy Committee was the only 
committee to have actually done just exactly that. But since that 
time, now over a year ago, circumstances have evolved. I think 
there is near agreement that we need a comprehensive approach 
to the cybersecurity problem. Some would have us believe that only 
the Department of Homeland Security and a host of new Federal 
regulations will protect us from persistent cyber threats. 

But I don’t think that heavy-handed static requirements from yet 
another Federal regulator will address the very real threat that we 
face. I think, instead, that we need a much more nimble approach 
to deal with cyber-related threats that are constantly growing and 
always changing. 

I have joined with a number of other Ranking Member colleagues 
to introduce, what we’re calling, the Secure IT Act. This is S. 3342. 
I think it’s a pragmatic approach to this issue. We focus on 4 areas 
that, I believe, we can draw bipartisan support for. That is within 
the area of information sharing. We have got FISMA reform, crimi- 
nal penalties, additional research. 

But what the Secure IT Act does not do, I think, is equally im- 
portant. It does not add new layers of bureaucracy and regulation 
that will serve little purpose and achieve meager results. I think 
it is a pretty straightforward approach to cybersecurity that can go 
a long ways in addressing our problem. 

Mr. Chairman, I thank you for convening this hearing. I look for- 
ward to hearing what the witnesses have to say on the actions that 
have been taken to date, as well as the ongoing efforts to secure 
the grid at both the transmission and the distribution level. 
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The Chairman. Thank you very much. I would just point out 
that the Majority Leader has advised, I think, everyone who’s — lis- 
tens to his statements that he hopes we can move to cybersecurity 
legislation on the Senate floor between now and the time we ad- 
journ in August, and so, I think this hearing is particularly timely 
for that reason. 

Let me introduce our 4 witnesses. 

First is, Mr. Joseph McClelland, Director of the Office of Electric 
Reliability at the Federal Energy Regulatory Commission. 

Next is, Mr. Gregory C. Wilshusen, who is the Director of Infor- 
mation and Technology, with the Government Accountability Of- 
fice. 

Third is, Mr. Gerry Cauley, who is President and Chief Executive 
Officer with the North American Electric Reliability Corporation, 
NERC. Thank you very much for being here. 

Mr. Todd Snitchler, who is the Chairman of the Public Utility 
Commission of Ohio. Thank you very much for being here. 

Mr. McClelland, why don’t you start. If each of you could take 
5 or 6 minutes and give us the main things you think we need to 
understand about the issue. We will then have some questions. 

STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF 

ELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY 

COMMISSION 

Mr. McClelland. Thank you, Mr. Chairman. 

Mr. Chairman, Ranking Member, and members of the committee, 
thank you for the privilege to appear before you today to discuss 
the security of the electric grid. My name is Joe McClelland, and 
I am the Director of the Office of Electric Reliability at the Federal 
Energy Regulatory Commission. 

I am here today as a Commission staff witness and my remarks 
do not necessarily represent the views of the Chairman or any indi- 
vidual commissioner. 

The Commission is committed to protecting the reliability of the 
Nation’s bulk power system. Nevertheless, limitations in Federal 
authority do not fully protect the grid against physical and cyber 
threats. My testimony summarizes the Commission’s oversight of 
the reliability of the electric grid under section 215 of the Federal 
Power Act, and the Commission’s implementation of that authority, 
with respect to cyber-related reliability issues, primarily through 
Order 706 

In the Energy Policy Act of 2005, Congress entrusted the Com- 
mission with a major new responsibility, to oversee mandatory en- 
forceable reliability and cybersecurity standards for the Nation’s 
bulk power system. This authority is in new section 215 of the Fed- 
eral Power Act. 

Under the new authority, FERC cannot author or modify reli- 
ability standards, but must select an Electric Reliability Organiza- 
tion, or ERO, to perform this task. The ERO develops and proposes 
reliability standards or modifications for the Commission’s review, 
which it can then either approve or remand. 

If the Commission approves the proposed reliability standard, it 
applies to the users, owners, and operators of a bulk power system 
and becomes mandatory in the United States. If the Commission 
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remands a proposed standard, it is sent back to the ERO for fur- 
ther consideration. 

The Commission selected the North American Electric Reliability 
Corporation, or NERC, as the ERO. It is important to note that 
EERC’s jurisdiction and reliability authority is limited to the “bulk 
power system,” as defined in the ERA, which excludes Alaska and 
Hawaii distribution systems, and can exclude transmission facili- 
ties in certain large cities, such as New York. 

In addition to the reliability authority, EERC is also charged 
with oversight of the cybersecurity of the bulk power system. As is 
the case with non-security issues, EERC’s authority under 215 of 
our cybersecurity is exercised through the reliability standards de- 
veloped by the ERO and approved by EERC. Pursuant to this duty, 
EERC approved 8 cybersecurity standards known as the Critical 
Infrastructure Protection standards, or CIP standards, proposed by 
NERC, while concurrently directing modifications to them in Janu- 
ary 2008. 

Three sets of modifications, responding to the Commission’s di- 
rectives, have been received from the ERO, and the last was ap- 
proved earlier this year. 

Although the CIP standards are approved, full compliance with 
these revised standards will not be mandatory until 2014. More im- 
portantly, in approving the latest revision of the CIP standards, the 
Commission recognized that they are an interim step and raised its 
concern that the newly revised standards do not provide enough 
protection to satisfy the Commission’s January 2008 Order. Thus, 
the Commission established a deadline for the end of the first quar- 
ter of 2013, for NERC to file standards in compliance with the out- 
standing directives in that Order. 

Physical attacks against the power grid can cause equal or great 
destruction than cyber attacks. One example of a physical threat 
is an electromagnetic pulse, or EMP, event. 

In 2001, Congress established a commission to assess the threat 
from EMP. In 2004 and, again, in 2008, the Commission issued its 
reports. Among the findings in the reports were that a single EMP 
attack could seriously degrade or shut down a large part of the 
electric power grid. Depending upon the attack, significant parts of 
the electric infrastructure could be, “Out of service for periods 
measured in months to a year or more.” 

In addition to man-made attacks, EMP events are also naturally 
generated, caused by solar flares and storms, disrupting the 
Earth’s magnetic field. Such events can be powerful and can also 
cause significant and prolonged disruptions to the power grid. 

The standards development system utilized under EPA 215 de- 
velops mandatory reliability standards, using an open and inclusive 
process, based on consensus. Although it can be an effective mecha- 
nism with dealing with the routine requirements of the power grid, 
it is inadequate when addressing threats to the power grid that en- 
danger national security. 

Despite its active role in approving reliability standards, EERC’s 
current legal authority is insufficient to assure direct, timely, and 
mandatory action to protect the grid, particularly where certain in- 
formation should not be publicly disclosed. 
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Any new legislation should address several key concerns. First, 
legislation should allow the Federal Government to take action be- 
fore a cyber or physical national security incident has occurred. 

Second, any legislation should ensure appropriate confidentiality 
of the sensitive information submitted, developed, or issued under 
this authority. 

Third, if additional reliability authority is limited to the bulk 
power system, as that term is currently defined in the FPA, it 
would not authorize Federal action to mitigate cyber or other na- 
tional security threats to reliability that involve certain critical fa- 
cilities in major population areas. 

Finally, it is important that entities be able to recover costs that 
they incur to mitigate vulnerabilities and threats. 

Thank you for your attention today. I am available to address 
any questions that you may have. 

[The prepared statement of Mr. McClelland follows:] 

Prepared Statement of Joseph McClelland, Director, Office of Electric 
Reliability, Federal Energy Regulatory Commission 

Mr. Chairman, Ranking Member and Members of the Committee: 

Thank you for this opportunity to appear before you to discuss the security of the 
electric grid. My name is Joseph McClelland. I am the Director of the Office of Elec- 
tric Reliability (OER) of the Federal Energy Regulatory Commission (FERC or Com- 
mission). The Commission’s role with respect to reliability is to help protect and im- 
prove the reliability of the Nation’s bulk power system through effective regulatory 
oversight as established in the Energy Policy Act of 2005. I am here today as a Com- 
mission staff witness and my remarks do not necessarily represent the views of the 
Commission or any individual Commissioner. 

The Commission is committed to protecting the reliability of the nation’s bulk 
electric system; nevertheless, the Commission’s current authority is not adequate to 
address cyber or other national security threats to the reliability of our transmission 
and power system. These types of threats pose an increasing risk to our Nation’s 
electric grid, which undergirds our government and economy and helps ensure the 
health and welfare of our citizens. 

I will describe how limitations in Federal authority do not fully protect the grid 
against physical and cyber threats. My testimony also summarizes the Commission’s 
oversight of the reliability of the electric grid under section 215 of the Federal 
Power Act (FPA) and the Commission’s implementation of that authority with re- 
spect to cyber related reliability issues primarily through Order No. 706. 

BACKGROUND 

In the Energy Policy Act of 2005 (EPAct 2005), Congress entrusted the Commis- 
sion with a major new responsibility to oversee mandatory, enforceable reliability 
standards for the Nation’s bulk power system (excluding Alaska and Hawaii). This 
authority is in section 215 of the Federal Power Act. Section 215 requires the Com- 
mission to select an Electric Reliability Organization (ERO) that is responsible for 
proposing, for Commission review and approval, reliability standards or modifica- 
tions to existing reliability standards to help protect and improve the reliability of 
the Nation’s bulk power system. The Commission has certified the North American 
Electric Reliability Corporation (NERC) as the ERO. The reliability standards apply 
to the users, owners and operators of the bulk power system and become mandatory 
in the United States only after Commission approval. The ERO also is authorized 
to impose, after notice and opportunity for a hearing, penalties for violations of the 
reliability standards, subject to Commission review and approval. The ERO may del- 
egate certain responsibilities to “Regional Entities,” subject to Commission approval. 

The Commission may approve proposed reliability standards or modifications to 
previously approved standards if it finds them “just, reasonable, not unduly dis- 
criminatory or preferential, and in the public interest.” The Commission itself does 
not have authority to modify proposed standards. Rather, if the Commission dis- 
approves a proposed standard or modification, section 215 requires the Commission 
to remand it to the ERO for further consideration. The Commission, upon its own 
motion or upon complaint, may direct the ERO to submit a proposed standard or 
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modification on a specific matter but it does not have the authority to modify or au- 
thor a standard and must depend upon the ERO to do so. 

Limitations of Section 215 and the Term “Bulk Power System” 

Currently, the Commission’s jurisdiction and reliability authority is limited to the 
“bulk power system,” as defined in the FPA, and therefore excludes Alaska and Ha- 
waii, including any federal installations located therein. The current interpretation 
of “bulk power system” also excludes some transmission and all local distribution 
facilities, including virtually all of the grid facilities in certain large cities such as 
New York, thus precluding Commission action to mitigate cyber or other national 
security threats to reliability that involve such facilities and major population areas. 
The Commission directed NERC to revise its interpretation of the bulk power sys- 
tem to eliminate inconsistencies across regions, eliminate the ambiguity created by 
the current discretion in NERC’s definition of bulk electric system, provide a back- 
stop review to ensure that any variations do not compromise reliability, and ensure 
that facilities that could significantly affect reliability are subject to mandatory 
rules. NERC has recently filed a revised definition of the term bulk power system, 
and the Commission has solicited comments on its proposal to accept NERC’s re- 
vised definition. However, it is important to note that section 215 of the FPA ex- 
cludes local distribution facilities from the Commission’s reliability jurisdiction, so 
any revised bulk electric system definition developed by NERC will still not apply 
to local distribution facilities. 

Critical Infrastructure Protection Reliability Standards 

An important part of the Commission’s current responsibility to oversee the devel- 
opment of reliability standards for the bulk power system involves cyber related re- 
liability issues. In August 2006, NERC submitted eight proposed cyber standards, 
known as the Critical Infrastructure Protection (CIP) standards, to the Commission 
for approval under section 215. Critical infrastructure, as defined by NERC for pur- 
poses of the CIP standards, includes facilities, systems, and equipment which, if de- 
stroyed, degraded, or otherwise rendered unavailable, would affect the reliability or 
operability of the “Bulk Electric System.” Under NERC’s implementation plan for 
the CIP standards, full compliance became mandatory on July 1, 2010. 

On January 18, 2008, the Commission issued Order No. 706, the Final Rule ap- 
proving the CIP reliability standards while concurrently directing NERC to develop 
significant modifications addressing specific concerns. The Commission set a dead- 
line of July 1, 2009 for NERC to resolve certain issues in the CIP reliability stand- 
ards, including deletion of the “reasonable business judgment” and “acceptance of 
risk” language in each of the standards. NERC concluded that this deadline would 
create a very compressed schedule for its stakeholder process. Therefore, it divided 
all of the changes directed by the Commission into phases, based on their com- 
plexity. NERC opted to resolve the simplest changes in the first phase, while put- 
ting off more complex changes for later versions. 

NERC filed the first phase of the modifications to the CIP Reliability Standards 
(Version 2) on May 22, 2009. In this phase, NERC removed from the standards the 
terms “reasonable business judgment” and “acceptance of risk,” added a require- 
ment for a “single senior manager” responsible for CIP compliance, and made cer- 
tain other administrative and clarifying changes. In a September 30, 2009 order, the 
Commission approved the Version 2 CIP standards and directed NERC to develop 
additional modifications to certain of them. Pursuant to the Commission’s Sep- 
tember 30, 2009 order, NERC submitted Version 3 of the CIP standards which re- 
vised Version 2 as directed. The Version 3 CIP standards became effective on Octo- 
ber 1, 2010. This first phase of the modifications directed by the Commission in 
Order No. 706, which encompassed both Version 2 and Version 3, did not modify 
the critical asset identification process, a central concern in Order No. 706. 

On February 10, 2011, NERC initiated the second phase of the Order No. 706 di- 
rected modification, filing a petition seeking approval of Version 4 of the CIP stand- 
ards. Version 4 includes new proposed criteria to identify “critical assets” for pur- 
poses of the CIP reliability standards. On April 19, 2012, the Commission issued 
Order No. 761, approving the Version 4 CIP standards, which introduced “bright 
line” criteria for the identification of Critical Assets. The version 4 CIP standards 
do not go into effect until April 1, 2014. The currently effective CIP reliability stand- 
ards allow utilities significant discretion to determine which of their facilities are 
“critical assets and the associated critical cyber assets,” and therefore are subject 
to the requirements of the standards. It is important to note that although “critical 
assets” are used to identify subsequent “critical cyber assets,” only the subset of 
“critical cyber assets” — which are self-determined by the affected entities — are sub- 
ject to the CIP standards. As the Commission stated in Order No. 706, the identi- 
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fication of critical assets is the cornerstone of the CIP standards. If that identifica- 
tion is not done well, the CIP standards will be ineffective at maintaining the reli- 
ability of the bulk power system. 

In the order approving NERC’s Version 4 standards, the Commission recognized 
that Version 4 is an interim step and stated its concern that Version 4 does not pro- 
vide enough protection to satisfy Order No. 706. Thus, the Commission established 
a deadline of end of first quarter of 2013 for NERC to file standards in compliance 
with the outstanding directives in Order No. 706. 

The remaining CIP standards revisions to respond to the Commission’s directives 
issued in Order No. 706 are still under development by NERC. It is important to 
note that the majority of the Order No. 706 directed moifications to the CiP stand- 
ards have yet to be addressed by NERC. Until they are addressed, there are signifi- 
cant gaps in protection. 


THE NERC PROCESS 

As an initial matter, it is important to recognize how mandatory reliability stand- 
ards are established. Under section 215, reliability standards must be developed by 
the ERO through an open, inclusive, and public process. The Commission can direct 
NERC to develop a reliability standard to address a particular reliability matter. 
However, the NERC process typically requires years to develop standards for the 
Commission’s review. In fact, the CIP standards approved by the Commission in 
January 2008 took approximately three years to develop. 

NERC’s procedures for developing standards allow extensive opportunity for 
stakeholder comment, are open, and are generally based on the procedures of the 
American National Standards Institute. The NERC process is intended to develop 
consensus on both the need for, and the substance of, the proposed standard. Al- 
though inclusive, the process is relatively slow, open and unpredictable in its re- 
sponsiveness to the Commission’s directives. This process requires public disclosure 
regarding the reason for the proposed standard, the manner in which the standard 
will address the issues, and any subsequent comments and resulting modifications 
in the standards as the affected stakeholders review the material and provide com- 
ments. NERC-approved standards are then submitted to the Commission for its re- 
view. 

The procedures used by NERC are appropriate for developing and approving rou- 
tine reliability standards. The process allows extensive opportunities for industry 
and public comment. The public nature of the reliability standards development 
process can be a strength of the process. However, it can be an impediment when 
measures or actions need to be taken to address threats to national security quickly, 
effectively and in a manner that protects against the disclosure of security-sensitive 
information. The current procedures used under section 215 for the development 
and approval of reliability standards do not provide an effective and timely means 
of addressing urgent cyber or other national security risks to the bulk power system, 
particularly in emergency situations. Certain circumstances, such as those involving 
national security, may require immediate action, while the reliability standard pro- 
cedures take too long to implement efficient and timely corrective steps. On Sep- 
tember 3, 2010, FERC approved a new reliability standards process manual filed by 
NERC. While this manual includes a process for developing a standard related to 
a confidential issue, the new process is untested and it is unclear how the process 
would be implemented. 

FERC rules governing review and establishment of reliability standards allow the 
agency to direct the ERO to develop and propose reliability standards under an ex- 
pedited schedule. For example, FERC could order the ERO to submit a reliability 
standard to address a reliability vulnerability within 60 days. Also, NERC’s rules 
of procedure include a provision for approval of “urgent action” standards that can 
be completed within 60 days and which may be further expedited by a written find- 
ing by the NERC board of trustees that an extraordinary and immediate threat ex- 
ists to bulk power system reliability or national security. However, it is not clear 
NERC could meet this schedule in practice. Moreover, faced with a national security 
threat to reliability, there may be a need to act decisively in hours or days, rather 
than weeks, months or years. That would not be feasible even under the urgent ac- 
tion process. In the meantime, the bulk power system would be left vulnerable to 
a known national security threat. Moreover, existing procedures, including the ur- 
gent action procedure, could widely publicize both the vulnerability and the pro- 
posed solutions, thus increasing the risk of hostile actions before the appropriate so- 
lutions are implemented. 

In addition, a reliability standard submitted to the Commission by NERC may not 
be sufficient to address the identified vulnerability or threat. Since FERC may not 
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directly modify a proposed reliability standard under section 215 and must either 
approve or remand it, FERC would have the choice of approving an inadequate 
standard and directing changes, which reinitiates a process that can take years, or 
rejecting the standard altogether. Under either approach, the bulk power system 
would remain vulnerable for a prolonged period. 

This concern was highlighted in the Department of Energy Inspector General’s 
January 2011 audit report on FERC’s “Monitoring of Power Grid Cyber Security.” 
The audit report identified concerns regarding the adequacy of the CIP standards 
and the implementation and schedule for the CIP standards, and concluded that 
these problems exist, in part, because the Commission’s authority to ensure ade- 
quate reliability of the bulk electric system is limited. This report emphasizes the 
need for additional authority to ensure adequate cyber security over the bulk elec- 
tric system. 

Finally, the open and inclusive process required for standards development is not 
consistent with the need to protect security-sensitive information. For instance, a 
formal request for a new standard would normally detail the need for the standard 
as well as the proposed mitigation to address the issue, and the NERC-approved 
version of the standard would he filed with the Commission for review. This public 
information could help potential adversaries in planning attacks. 

PHYSICAL SECURITY AND OTHER THREATS TO RELIABILITY 

The existing reliability standards do not extend to physical threats to the grid, 
hut physical threats can cause equal or greater destruction than cyber attacks and 
the Federal government should have no less ability to act to protect against such 
potential damage. One example of a physical threat is an electromagnetic pulse 
(EMP) event. EMP events can be generated from either naturally occurring or man- 
made causes. In the case of the former, solar magnetic disturbances periodically dis- 
rupt the earth’s magnetic field which in turn, can generate large induced ground 
currents. This effect, also termed the “E3” component of an EMP, can simulta- 
neously damage or destroy bulk power system transformers over a large geographic 
area. Regarding man-made events, EMP can also be generated by weapons. Equip- 
ment and plans are readily available that have the capability to generate high-en- 
ergy bursts, termed “El”, that can damage or destroy electronics such as those 
found in control and communication systems on the power grid. These devices can 
be portable and effective, facilitating simultaneous coordinated attacks, and can be 
reused, allowing use against multiple targets. The most comprehensive man-made 
EMP threat is from a high-altitude nuclear explosion. It would affect an area de- 
fined by the “line-of-sight” from the point of detonation. The higher the detonation 
the larger the area affected, and the more powerful the explosion the stronger the 
EMP emitted. The first component of the resulting pulse El occurs within a fraction 
of a second and can destroy control and communication electronics. The second com- 
ponent is termed “E2” and is similar to lightning, which is well-known and miti- 
gated by industry. Toward the end of an EMP event, a third element, E3, occurs. 
This causes the same effect as solar magnetic disturbances. It can damage or de- 
stroy power transformers connected to long transmission lines. It is important to 
note that effective mitigation against solar magnetic disturbances and non-nuclear 
EMP weaponry provides effective mitigation against a high-altitude nuclear explo- 
sion. 

In 2001, Congress established a commission to assess the threat from EMP, with 
particular attention to be paid to the nature and magnitude of high-altitude EMP 
threats to the United States; vulnerabilities of U.S. military and civilian infrastruc- 
ture to such attack; capabilities to recover from an attack; and the feasibility and 
cost of protecting military and civilian infrastructure, including energy infrastruc- 
ture. In 2004, the EMP commission issued a report describing the nature of EMP 
attacks, vulnerabilities to EMP attacks, and strategies to respond to an attack. ^ A 
second report was produced in 2008 that further investigated vulnerabilities of the 
Nation’s infrastructure to EMP.^ Both electrical equipment and control systems can 
be damaged by EMP. 

An EMP may also be a naturally-occurring event caused by solar flares and 
storms disrupting the Earth’s magnetic field. In 1859, a major solar storm occurred, 
causing auroral displays and significant shifts of the Earth’s magnetic fields. As a 
result, telegraphs were rendered useless and several telegraph stations burned 


1 Graham, Dr. William R. et al. Report of the Commission to Assess the Threat to the United 
States from Electromagnetic Pulse (EMP) Attack (2004). 

2 Dr. John S. Foster, Jr. et al., Report of the Commission to Assess the Threat to the United 
States from Electromagnetic Pulse (EMP) Attack (2008). 
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down. The impacts of that storm were muted because semiconductor technology did 
not exist at the time. Were the storm to happen today, according to an article in 
Scientific American, it could “severely damage satellites, disable radio communica- 
tions, and cause continent-wide electrical black-outs that would require weeks or 
longer to recover from.”^ Although storms of this magnitude occur rarely, storms 
and flares of lesser intensity occur more frequently. Storms of about half the inten- 
sity of the 1859 storm occur every 50 years or so according to the authors of the 
Scientific American article, and the last such storm occurred in November 1960, 
leading to world-wide geomagnetic disturbances and radio outages. The power grid 
is particularly vulnerable to solar storms, as transformers are electrically grounded 
to the Earth and susceptible to damage from geomagnetically induced currents. The 
damage or destruction of numerous transformers across the country would result in 
reduced grid functionality and even prolonged power outages. 

In March 2010, Oak Ridge National Laboratory (Oak Ridge) and their subcon- 
tractor Metatech released a study that explored the vulnerability of the electric grid 
to EMP-related events. This study was a joint effort contracted by FERC staff, the 
Department of Energy and the Department of Homeland Security and expanded on 
the information developed in other initiatives, including the EMP commission re- 
ports. The series of reports provided detailed technical background and outlined 
which sections of the power grid are most vulnerable, what equipment would be af- 
fected, and what damage could result. Protection concepts for each threat and addi- 
tional methods for remediation were also included along with suggestions for mitiga- 
tion. The results of the study support the general conclusion that EMP events pose 
substantial risk to equipment and operation of the Nation’s power grid and under 
extreme conditions could result in major long term electrical outages. In fact, solar 
magnetic disturbances are inevitable with only the timing and magnitude subject 
to variability. The study assessed the 1921 solar storm, which has been termed a 
1-in-lOO year event, and applied it to today’s power grid. The study concluded that 
such a storm could damage or destroy up to 300 bulk power system transformers 
interrupting service to 130 million people for a period of years. 

On April 30, 2012, the Commission held a technical conference to discuss issues 
related to reliability of the bulk power system as affected by geomagnetic disturb- 
ances. The conference explored the risks and impacts from geomagnetically induced 
currents to transformers and other equipment on the bulk power system, as well 
as options for addressing or mitigating the risks and impacts. The Commission is 
considering the comments filed after that conference. 

The existing reliability standards do not address EMP vulnerabilities. Protecting 
the electric generation, transmission and distribution systems from severe damage 
due to an EMP-related event would involve vulnerability assessments at every level 
of electric infrastructure. 


THE NEED FOR LEGISLATION 

In my view, section 215 of the Federal Power Act provides an adequate statutory 
foundation for the ERO to develop most reliability standards for the bulk power sys- 
tem. However, the nature of a national security threat by entities intent on attack- 
ing the U.S. through vulnerabilities in its electric grid stands in stark contrast to 
other major reliability vulnerabilities that have caused regional blackouts and reli- 
ability failures in the past, such as vegetation management and protective relay 
maintenance practices. Widespread disruption of electric service can quickly under- 
mine the U.S. government, its military, and the economy, as well as endanger the 
health and safety of millions of citizens. Given the national security dimension to 
this threat, there may be a need to act quickly to protect the grid, to act in a man- 
ner where action is mandatory rather than voluntary, and to protect certain infor- 
mation from public disclosure. 

The Commission’s current legal authority is inadequate for such action. This is 
true of both cyber and physical threats to the bulk power system that pose national 
security concerns. Section 215 of the FPA excludes all facilities in Alaska and Ha- 
waii and all local distribution facilities from the Commission’s reliability jurisdic- 
tion, which may leave significant facilities vulnerable to the threat of a cyber or 
physical attack. In addition, although the NERC standards development process as 
envisioned in section 215 can be fine for routine reliability matters, it is too slow, 
too open and too unpredictable to ensure its responsiveness in the cases where na- 
tional security is endangered. This process is inadequate when measures or actions 


^Odenwald, Sten F. and Green, James L., Bracing the Satellite Infrastructure for a Solar 
Superstorm, Scientific American Magazine (Jul. 28, 2008). 
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need to be taken to address threats to national security quickly, effectively and in 
a manner that protects against the disclosure of security-sensitive information. 

These shortcomings can be solved through a comprehensive, government-wide ap- 
proach to cyber security issues or through a sector-specific approach. If a govern- 
ment-wide course is pursued, care should be taken to ensure that the two ap- 
proaches complement each other, preserving FERC’s ability to regulate electric reli- 
ability effectively. Any new legislation should address several key concerns. First, 
to prevent a significant risk of disruption to the grid, legislation should allow the 
federal government to take action before a cyber or physical national security inci- 
dent has occurred. In particular, the federal government should be able to require 
mitigation even before or while NERC and its stakeholders develop a standard, 
when circumstances require urgent action. Second, any legislation should ensure ap- 
propriate confidentiality of sensitive information submitted, developed or issued 
under this authority. Without such confidentiality, the grid may be more vulnerable 
to attack. Third, if additional reliability authority is limited to the bulk power sys- 
tem, as that term is currently defined in the FPA, it would not authorize Federal 
action to mitigate cyber or other national security threats to reliability that involve 
certain critical facilities and major population areas. Fourth, it is important that en- 
tities be able to recover costs they incur to mitigate vulnerabilities and threats. 

CONCLUSION 

The Commission’s current authority is not adequate to address cyber or other na- 
tional security threats to the reliability of our transmission and power system. 
These types of threats pose an increasing risk to our Nation’s electric grid, which 
undergirds our government and economy and helps ensure the health and welfare 
of our citizens. Thank you again for the opportunity to testify today. I would be 
happy to answer any questions you may have. 

The Chairman. Thank you very much. 

Mr. Wilshusen, go right ahead. 

STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFOR- 
MATION AND TECHNOLOGY, GOVERNMENT ACCOUNT- 
ABILITY OFFICE 

Mr. Wilshusen. Mr. Chairman, Ranking Member Murkowski, 
members of the committee. Thank you for the opportunity to testify 
at today’s hearing on actions to secure the electricity grid. 

As you know, the electric power industry, which is composed of 
electricity generation, transmission, distribution, and system oper- 
ations, is increasingly incorporating information technology sys- 
tems and networks into its existing infrastructure, as it modernizes 
the electricity grid. 

The use of IT can provide many benefits, such as greater effi- 
ciency and reliability, and lower costs to consumers. However, this 
increased reliance on computer systems and networks also intro- 
duces cyber-based risk to the grid if the systems and networks are 
not properly protected. 

For nearly a decade, GAO has identified the protection of sys- 
tems supporting our Nation’s critical infrastructure, which includes 
the electricity grid, as a Government- wide, high risk area. 

Today, I will discuss the cyber threats to the electricity grid and 
several of the actions taken and challenges remaining to secure the 
grid. But, first, if I may, Mr. Chairman, I would like to recognize 
several members of my team who were instrumental in developing 
this statement and also conducting the work on which it is based. 

With me today is Anjalique Lawrence, seated behind me. Back 
at the office: Mike Gilmore, Lee McCracken, David Trimble, Jon 
Ludwigson, and Paige Gilbreath, all played significant roles and 
made significant contributions. 
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Mr. Chairman, the threats to systems supporting the electricity 
grid are evolving and growing. They include both unintentional and 
intentional threats, and may come in the form of equipment fail- 
ures, as well as targeted and untargeted attacks from our adver- 
saries. 

The interconnectivity between industrial control systems, com- 
puter networks, and the Internet can amplify the impact of these 
threats and expose the grid to known and unknown cybersecurity 
vulnerabilities, potentially affecting the operations of critical infra- 
structures, the security of sensitive information, and the flow of 
commerce. Several reported incidents illustrate the potentially seri- 
ous impact of these threats. 

To address such concerns. State and Federal authorities play key 
roles in overseeing grid reliability, which involves the security of 
the grid. State regulators generally oversee the reliability of local 
distribution system; whereas, NERC has developed and enforced 
mandatory standards intended to ensure the reliability of the bulk 
power system, which includes certain generation facilities and the 
high voltage electricity transmission network. 

FERC has approved and, thus, made mandatory, 8 critical infra- 
structure standards developed by NERC to help ensure the secure 
electronic exchange of information and to prevent unauthorized 
physical and logical access to critical cyber assets. 

In addition, NIST has identified guidelines on how to securely 
implement smart grid systems and identified an initial set of inter- 
operability and cybersecurity standards for the smart grid. How- 
ever, FERC has not yet adopted these standards, citing a lack of 
consensus for them. 

GAO has previously reported on a number of key challenges to 
securing the modernized electricity grid; for example, aspects of 
current regulatory environment may complicate matters. Specifi- 
cally, jurisdictional issues and the difficulties associated with re- 
sponding to continually evolving cyber threats were a key regu- 
latory challenge to ensuring the cybersecurity of the grid. 

We also reported other challenges affecting industry efforts to se- 
cure the smart grid. Specifically, the electricity industry had not 
consistently built security features for certain smart grid devices, 
established an effective mechanism for sharing cybersecurity infor- 
mation, and created a set of metrics for evaluating the effectiveness 
of cyber security controls. 

GAO has made several recommendations to FERC aimed at ad- 
dressing these challenges and the Commission has agreed with 
these recommendations. 

In summary, Mr. Chairman, the evolving and growing threat 
from cyber-based attacks highlights the importance of securing the 
electricity industry’s systems and networks. A successful attack 
could result in wide-spread power outages, significant monetary 
losses, and extensive property damage. 

More needs to be done to meet the challenges facing the industry 
and enhancing security. In particular. Federal regulators and other 
stakeholders will need to work closely together with the private 
sector, to address cybersecurity challenges, as the generation, 
transmission, and distribution of electricity come to rely more on 
emerging and sophisticated technologies. 



13 


Mr. Chairman, Ranking Member, this completes my statement. 
I would be happy to answer any questions. 

[The prepared statement of Mr. Wilshusen follows:] 

Prepared Statement of Gregory C. Wilshusen, Director, Information and 
Technology, Government Accountability Office 

WHY GAO DID THIS STUDY 

The electric power industry is increasingly incorporating information technology 
(IT) systems and networks into its existing infrastructure (e.g., electricity networks, 
including power lines and customer meters). This use of IT can provide many bene- 
fits, such as greater efficiency and lower costs to consumers. However, this in- 
creased reliance on IT systems and networks also exposes the grid to cybersecurity 
vulnerabilities, which can be exploited by attackers. Moreover, GAO has identified 
protecting systems supporting our nation’s critical infrastructure (which includes 
the electricity grid) as a governmentwide high-risk area. 

GAO was asked to testify on the status of actions to protect the electricity grid 
from cyber attacks. Accordingly, this statement discusses (1) cyber threats facing 
cyber-reliant critical infrastructures, which include the electricity grid, and (2) ac- 
tions taken and challenges remaining to secure the grid against cyber attacks. In 
preparing this statement, GAO relied on previously published work in this area and 
reviewed reports from other federal agencies, media reports, and other publicly 
available sources. 


WHAT GAO recommends 

In a prior report, GAO has made recommendations related to electricity grid mod- 
ernization efforts, including developing an approach to monitor compliance with vol- 
untary standards. These recommendations have not yet been implemented. 

WHAT GAO found 

The threats to systems supporting critical infrastructures are evolving and grow- 
ing. In testimony, the Director of National Intelligence noted a dramatic increase 
in cyber activity targeting U.S. computers and systems, including a more than tri- 
pling of the volume of malicious software. Varying types of threats from numerous 
sources can adversely affect computers, software, networks, organizations, entire in- 
dustries, and the Internet itself. These include both unintentional and intentional 
threats, and may come in the form of targeted or untargeted attacks from criminal 
groups, hackers, disgruntled employees, nations, or terrorists. The interconnectivity 
between information systems, the Internet, and other infrastructures can amplify 
the impact of these threats, potentially affecting the operations of critical infrastruc- 
tures, the security of sensitive information, and the flow of commerce. Moreover, the 
electricity grid’s reliance on IT systems and networks exposes it to potential and 
known cybersecurity vulnerabilities, which could be exploited by attackers. The po- 
tential impact of such attacks has been illustrated by a number of recently reported 
incidents and can include fraudulent activities, damage to electricity control sys- 
tems, power outages, and failures in safety equipment. 

To address such concerns, multiple entities have taken steps to help secure the 
electricity grid, including the North American Electric Reliability Corporation, the 
National Institute of Standards and Technology (NIST), the Federal Energy Regu- 
latory Commission, and the Departments of Homeland Security and Energy. These 
include, in particular, establishing mandatory and voluntary cybersecurity stand- 
ards and guidance for use by entities in the electricity industry. For example, the 
North American Electric Reliability Corporation and the Federal Energy Regulatory 
Commission, which have responsibility for regulation and oversight of part of the 
industry, have developed and approved mandatory cybersecurity standards and ad- 
ditional guidance. In addition, NIST has identified cybersecurity standards that sup- 
port smart grid interoperability and has issued a cybersecurity guideline. The De- 
partments of Homeland Security and Energy have also played roles in dissemi- 
nating guidance on security practices and providing other assistance. 

As GAO previously reported, there were a number of ongoing challenges to secur- 
ing electricity systems and networks. These include: 

• A lack of a coordinated approach to monitor industry compliance with voluntary 
standards. 

• Aspects of the current regulatory environment made it difficult to ensure the 
cybersecurity of smart grid systems. 
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• A focus by utilities on regulatory compliance instead of comprehensive security. 

• A lack of security features consistently built into smart grid systems. 

• The electricity industry did not have an effective mechanism for sharing infor- 
mation on cybersecurity and other issues. 

• The electricity industry did not have metrics for evaluating cybersecurity. 

Chairman Bingaman, Ranking Member Murkowski, and Members of the Com- 
mittee: 

Thank you for the opportunity to testify at today’s hearing on the status of actions 
to protect the electricity grid from cyber attacks. 

As you know, the electric power industry is increasingly incorporating information 
technology (IT) systems and networks into its existing infrastructure (e.g., electricity 
networks including power lines and customer meters). This use of IT can provide 
many benefits, such as greater efficiency and lower costs to consumers. Along with 
these anticipated benefits, however, cybersecurity and industry experts have ex- 
pressed concern that, if not implemented securely, modernized electricity grid sys- 
tems will be vulnerable to attacks that could result in widespread loss of electrical 
services essential to maintaining our national economy and security. 

In addition, since 2003 we have identified protecting systems supporting our na- 
tion’s critical infrastructure (which includes the electricity grid) as a government- 
wide high-risk area, and we continue to do so in the most recent update to our high- 
risk list.i 

In my testimony today, I will describe (1) cyber threats facing cyber-reliant crit- 
ical infrastructures,^ which include the electricity grid, and (2) actions taken and 
challenges remaining to secure the grid against cyber attacks. In preparing this 
statement in July 2012, we relied on our previous work in this area, including stud- 
ies examining efforts to secure the electricity grid and associated challenges and 
cybersecurity guidance. ^ (Please see the related GAO products in appendix I.) The 
products upon which this statement is based contain detailed overviews of the scope 
of our reviews and the methodology we used. We also reviewed documents from the 
Federal Energy Regulatory Commission, the North American Electric Reliability 
Corporation, the Department of Energy, including its Office of the Inspector Gen- 
eral, and the Department of Homeland Security Industrial Control Systems Cyber 
Emergency Response Team, as well as publicly available reports on cyber incidents. 
The work on which this statement is based was performed in accordance with gen- 
erally accepted government auditing standards. Those standards require that we 
plan and perform audits to obtain sufficient, appropriate evidence to provide a rea- 
sonable basis for our findings and conclusions. We believe that the evidence ob- 
tained provided a reasonable basis for our findings and conclusions based on our 
audit objectives. 


BACKGROUND 

The electricity industry, as shown in figure 1, is composed of four distinct func- 
tions: generation, transmission, distribution, and system operations. Once electricity 
is generated — whether by burning fossil fuels; through nuclear fission; or by har- 
nessing wind, solar, geothermal, or hydro energy — it is generally sent through high- 
voltage, high-capacity transmission lines to local electricity distributors. Once there, 
electricity is transformed into a lower voltage and sent through local distribution 
lines for consumption by industrial plants, Eusinesses, and residential consumers. 
Because electric energy is generated and consumed almost instantaneously, the op- 
eration of an electric power system requires that a system operator constantly bal- 
ance the generation and consumption of power. 

Utilities own and operate electricity assets, which may include generation plants, 
transmission lines, distribution lines, and substations — structures often seen in resi- 


1 GAO’s biennial high-risk list identifies government programs that have greater vulnerability 
to fraud, waste, abuse, and mismanagement or need transformation to address economy, effi- 
ciency, or effectiveness challenges. We have designated federal information security as a govern- 
mentwide high-risk area since 1997; in 2003, we expanded this high-risk area to include pro- 
tecting systems supporting our nation’s critical infrastructure — referred to as cyber-critical infra- 
structure protection, or cyber CIP. See, most recently, GAO, High-Risk Series: An Update, GAO- 
11-278 (Washington, D.C.: February 2011). 

2 Federal policy established 18 critical infrastructure sectors. These include, for example, 
banking and finance, communications, public health, and energy. The energy sector includes 
subsectors for oil and gas and for electricity. 

3 GAO, Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can 
Be Done to Promote Its Use, GAO-12-92 (Washington, D.C.: Dec. 9, 2011), and Electricity Grid 
Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain 
to be Addressed, GAO-11-117 (Washington, D.C.: Jan. 12, 2011). 
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dential and commercial areas that contain technical equipment such as switches 
and transformers to ensure smooth, safe flow of current and regulate voltage. Utili- 
ties may he owned by investors, municipalities, and individuals (as in cooperative 
utilities). System operators — sometimes affiliated with a particular utility or some- 
times independent and responsible for multiple utility areas — manage the electricity 
flows. These system operators manage and control the generation, transmission, and 
distribution of electric power using control systems — IT-and network-based systems 
that monitor and control sensitive processes and physical functions, including open- 
ing and closing circuit breakers.'^ As we have previously reported, the effective func- 
tioning of the electricity industry is highly dependent on these control systems.® 
However, for many years, aspects of the electricity network lacked (1) adequate 
technologies — such as sensors — to allow system operators to monitor how much elec- 
tricity was flowing on distribution lines, (2) communications networks to further in- 
tegrate parts of the electricity grid with control centers, and (3) computerized con- 
trol devices to automate system management and recovery. 

MODERNIZATION OF THE ELECTRICITY INFRASTRUCTURE 

As the electricity industry has matured and technology has advanced, utilities 
have begun taking steps to update the electricity grid — the transmission and dis- 
tribution systems — by integrating new technologies and additional IT systems and 
networks. Though utilities have regularly taken such steps in the past, industry and 
government stakeholders have be^n to articulate a broader, more integrated vision 
for transforming the electricity grid into one that is more reliable and efficient; fa- 
cilitates alternative forms of generation, including renewable energy; and gives con- 
sumers real-time information about fluctuating energy costs. 

This vision — the smart grid — would increase the use of IT systems and networks 
and two-way communication to automate actions that system operators formerly 
had to make manually. Electricity grid modernization is an ongoing process, and ini- 
tiatives have commonly involved installing advanced metering infrastructure (smart 
meters) on homes and commercial buildings that enable two-way communication be- 
tween the utility and customer. Other initiatives include adding “smart” components 
to provide the system operator with more detailed data on the conditions of the 
transmission and distribution systems and better tools to observe the overall condi- 
tion of the grid (referred to as “wide-area situational awareness”). These include ad- 
vanced, smart switches on the distribution system that communicate with each 
other to reroute electricity around a troubled line and high-resolution, time-syn- 
chronized monitors — called phasor measurement units — on the transmission system. 

The use of smart grid systems may have a number of benefits, including improved 
reliability from fewer and shorter outages, downward pressure on electricity rates 
resulting from the ability to shift peak demand, an improved ability to shift to alter- 
native sources of energy, and an improved ability to detect and respond to potential 
attacks on the grid. 


REGULATION OF THE ELECTRICITY INDUSTRY 

Both the federal government and state governments have authority for overseeing 
the electricity industry. For example, the Federal Energy Regulatory Commission 
(FERC) regulates rates for wholesale electricity sales and transmission of electricity 
in interstate commerce. This includes approving whether to allow utilities to recover 
the costs of investments they make to the transmission system, such as smart grid 
investments. Meanwhile, local distribution and retail sales of electricity are gen- 
erally subject to regulation by state public utility commissions. 

State and federal authorities also play key roles in overseeing the reliability of 
the electric grid. State regulators generally have authority to oversee the reliability 
of the local distribution system. The North American Electric Reliability Corporation 
(NERC) is the federally designated U.S. Electric Reliability Organization, and is 
overseen by FERC. NERC has responsibility for conducting reliability assessments 
and developing and enforcing mandatory standards to ensure the reliability of the 
bulk power system — i.e., facilities and control systems necessary for operating the 
transmission network and certain generation facilities needed for reliability. NERC 
develops reliability standards collaboratively through a deliberative process involv- 
ing utilities and others in the industry, which are then sent to FERC for approval. 
These standards include critical infrastructure protection standards for protecting 


'^Circuit breakers are devices used to open or close electric circuits. If a transmission or dis- 
tribution line is in trouble, a circuit breaker can disconnect it from the rest of the system. 

®GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are 
Under Way, but Challenges Remain, GAO-07-1036 (Washington, D.C.: Sept. 10, 2007). 
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electric utility-critical and cyber-critical assets. FERC has responsibility for review- 
ing and approving the reliability standards or directing NERC to modify them. 

In addition, the Energy Independence and Security Act of 2007® established fed- 
eral policy to support the modernization of the electricity grid and required actions 
by a number of federal agencies, including the National Institute of Standards and 
Technology (NIST), FERC, and the Department of Energy. With regard to 
cybersecurity, the act required NIST and FERC to take the following actions: 

• NISTwas to coordinate development of a framework that includes protocols and 
model standards for information management to achieve interoperability of 
smart grid devices and systems. As part of its efforts to accomplish this, NIST 
planned to identify cybersecurity standards for these systems and also identified 
the need to develop guidelines for organizations such as electric companies on 
how to securely implement smart grid systems. In January 2011,^ we reported 
that NIST had identified 11 standards involving cybersecurity that support 
smart grid interoperability and had issued a first version of a cybersecurity 
guideline.® 

• FERC was to adopt standards resulting from NIST’s efforts that it deemed nec- 
essary to ensure smart grid functionality and interoperability. However, accord- 
ing to FERC officials, the statute did not provide specific additional authority 
to allow FERC to require utilities or manufacturers of smart grid technologies 
to follow these standards. As a result, any standards identified and developed 
through the NIST-led process are voluntary unless regulators use other authori- 
ties to indirectly compel utilities and manufacturers to follow them. 

THE ELECTRICITY GRID IS POTENTIALLY VULNERABLE TO AN EVOLVING ARRAY OF 
CYBER-BASED THREATS 

Threats to systems supporting critical infrastructure — which includes the elec- 
tricity industry and its transmission and distribution systems — are evolving and 
growing. In February 2011, the Director of National Intelligence testified that, in 
the past year, there had been a dramatic increase in malicious cyber activity tar- 
geting U.S. computers and networks, including a more than tripling of the volume 
of malicious software since 2009.® Different types of cyber threats from numerous 
sources may adversely affect computers, software, networks, organizations, entire 
industries, or the Internet. Cyber threats can be unintentional or intentional. Unin- 
tentional threats can be caused by software upgrades or maintenance procedures 
that inadvertently disrupt systems. Intentional threats include both targeted and 
untargeted attacks from a variety of sources, including criminal groups, hackers, 
disgruntled employees, foreign nations engaged in espionage and information war- 
fare, and terrorists. Table 1 shows common sources of cyber threats. 

TABLE 1: SOURCES OF CYBERSECURITY THREATS 


Threat source 

Description 

Bot-network operators 

Bot-net operators use a network, or bot-net, of 
compromised, remotely controlled systems to co- 
ordinate attacks and to distribute phishing 
schemes, spam, and malware attacks. The services 
of these networks are sometimes made available 
on underground markets (e.g., purchasing a denial- 
of-service attack or services to relay spam or 
phishing attacks). 


6 Pub. L. No. 110-140 (Dec. 19, 2007). 

''GAO-11-117. 

®NIST Special Publication 1108, NIST Framework and Roadmap for Smart Grid Interoper- 
ability Standards, Release 1.0, January 2010 and NIST Interagency Report 7628, Guidelines for 
Smart Grid Cyber Security, August 2010. 

® Director of National Intelligence, Statement for the Record on the Worldwide Threat Assess- 
ment of the U.S. Intelligence Community, statement before the Senate Select Committee on In- 
telligence (Feb. 16, 2011). 
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TABLE 1: 

SOURCES OF CYBERSECURITY THREATS— Continued 

Threat source 

Description 

Criminal groups 

Criminal groups seek to attack systems for mone- 
tary gain. Specifically, organized criminal groups 
use spam, phishing, and spyware/malware to com- 
mit identity theft, online fraud, and computer ex- 
tortion. International corporate spies and criminal 
organizations also pose a threat to the United 
States through their ability to conduct industrial 
espionage and large-scale monetary theft and to 
hire or develop hacker talent. 

Hackers 

Hackers break into networks for the thrill of the 
challenge, bragging rights in the hacker commu- 
nity, revenge, stalking, monetary gain, and polit- 
ical activism, among other reasons. While gaining 
unauthorized access once required a fair amount of 
skill or computer knowledge, hackers can now 
download attack scripts and protocols from the 
Internet and launch them against victim sites. 
Thus, while attack tools have become more sophis- 
ticated, they have also become easier to use. Ac- 
cording to the Central Intelligence Agency, the 
large majority of hackers do not have the requisite 
expertise to threaten difficult targets such as crit- 
ical U.S. networks. Nevertheless, the worldwide 
population of hackers poses a relatively high 
threat of an isolated or brief disruption causing se- 
rious damage. 

Insiders 

The disgruntled organization insider is a principal 
source of computer crime. Insiders may not need a 
great deal of knowledge about computer intrusions 
because their knowledge of a target system often 
allows them to gain unrestricted access to cause 
damage to the system or to steal system data. The 
insider threat includes contractors hired by the or- 
ganization, as well as careless or poorly trained 
employees who may inadvertently introduce 
malware into systems. 

Nations 

Nations use cyber tools as part of their informa- 
tion-gathering and espionage activities. In addi- 
tion, several nations are aggressively working to 
develop information warfare doctrine, programs, 
and capabilities. Such capabilities enable a single 
entity to have a significant and serious impact by 
disrupting the supply, communications, and eco- 
nomic infrastructures that support military 
power — impacts that could affect the daily lives of 
citizens across the country. In his January 2012 
testimony, the Director of National Intelligence 
stated that, among state actors, China and Russia 
are of particular concern. 

Phishers 

Individuals or small groups execute phishing 
schemes in an attempt to steal identities or infor- 
mation for monetary gain. Phishers may also use 
spam and spyware or malware to accomplish their 
objectives. 
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TABLE 1: SOURCES OF CYBERSECURITY THREATS— Continued 


Threat source 

Description 

Spammers 

Individuals or organizations distribute unsolicited 
e-mail with hidden or false information in order to 
sell products, conduct phishing schemes, distribute 
spyware or malware, or attack organizations (e.g., 
a denial of service). 

Spyware or malware authors 

Individuals or organizations with malicious intent 
carry out attacks against users by producing and 
distributing spyware and malware. Several de- 
structive computer viruses and worms have 
harmed files and hard drives, including the Me- 
lissa Macro Virus, the Explore.Zip worm, the CIH 
(Chernobyl) Virus, Nimda, Code Red, Slammer, 
and Blaster. 

Terrorists 

Terrorists seek to destroy, incapacitate, or exploit 
critical infrastructures in order to threaten na- 
tional security, cause mass casualties, weaken the 
economy, and damage public morale and con- 
fidence. Terrorists may use phishing schemes or 
spyware/malware in order to generate funds or 
gather sensitive information. 

Source: GAO analysis based on data from the Director of National Intelligence, Department 
of Justice, Central Intelligence Agency, and the Software Engineering Institute’s CERT® Co- 
ordination Center. 

These sources of cyber threats make use of various techniques, or exploits that 
may adversely affect computers, software, a network, an organization’s operation, an 
industry, or the Internet itself. Table 2 shows common types of cyber exploits. 

TABLE 2: TYPES OF CYBER EXPLOITS 

Type of exploit 

Description 

Cross-site scripting 

An attack that uses third-party web resources to 
run script within the victim’s web browser or 
scriptable application. This occurs when a browser 
visits a malicious website or clicks a malicious 
link. The most dangerous consequences occur when 
this method is used to exploit additional 
vulnerabilities that may permit an attacker to 
steal cookies (data exchanged between a web serv- 
er and a browser), log key strokes, capture screen 
shots, discover and collect network information, 
and remotely access and control the victim’s ma- 
chine. 

Denial-of-service 

An attack that prevents or impairs the authorized 
use of networks, systems, or applications by ex- 
hausting resources. 

Distributed denial-of-service 

A variant of the denial-of-service attack that uses 
numerous hosts to perform the attack. 

Logic bombs 

A piece of programming code intentionally inserted 
into a software system that will cause a malicious 
function to occur when one or more specified condi- 
tions are met. 
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TABLE 2: TYPES OF CYBER EXPLOITS— Continued 


Type of exploit 

Description 

Phishing 

A digital form of social engineering that uses au- 
thentic-looking, but fake, e-mails to request infor- 
mation from users or direct them to a fake website 
that requests information. 

Passive wiretapping 

The monitoring or recording of data, such as pass- 
words transmitted in clear text, while they are 
being transmitted over a communications link. 

This is done without altering or affecting the data. 

Structured Query Language 
(SQL) injection 

An attack that involves the alteration of a data- 
base search in a web-based application, which can 
be used to obtain unauthorized access to sensitive 
information in a database. 

Trojan horse 

A computer program that appears to have a useful 
function, but also has a hidden and potentially ma- 
licious function that evades security mechanisms 
by, for example, masquerading as a useful program 
that a user would likely execute. 

Virus 

A computer program that can copy itself and infect 
a computer without the permission or knowledge of 
the user. A virus might corrupt or delete data on a 
computer, use e-mail programs to spread itself to 
other computers, or even erase ever 3 d;hing on a 
hard disk. Unlike a computer worm, a virus re- 
quires human involvement (usually unwitting) to 
propagate. 

War driving 

The method of driving through cities and neighbor- 
hoods with a wireless-equipped computer — some- 
times with a powerful antenna — searching for un- 
secured wireless networks. 

Worm 

A self-replicating, self-propagating, self-contained 
program that uses network mechanisms to spread 
itself. Unlike computer viruses, worms do not re- 
quire human involvement to propagate. 

Zero-day exploit 

An exploit that takes advantage of a security vul- 
nerability previously unknown to the general pub- 
lic. In many cases, the exploit code is written by 
the same person who discovered the vulnerability. 
By writing an exploit for the previously unknown 
vulnerability, the attacker creates a potent threat 
since the compressed timeframe between public 
discoveries of both makes it difficult to defend 
against 


Source: GAO analysis of data from the National Institute of Standards and Technology, 
United States Computer Emergency Readiness Team, and industry reports. 


ELECTRICITY GRID FACES CYBERSECURITY VULNERABILITIES 

The potential impact of these threats is amplified by the connectivity between in- 
formation systems, the Internet, and other infrastructures, creating opportunities 
for attackers to disrupt critical services, including electrical power. In addition, the 
increased reliance on IT systems and networks also exposes the electric grid to po- 
tential and known cybersecurity vulnerabilities. These vulnerabilities include 

• an increased number of entry points and paths that can be exploited by poten- 
tial adversaries and other unauthorized users; 

• the introduction of new, unknown vulnerabilities due to an increased use of new 
system and network technologies; 
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• wider access to systems and networks due to increased connectivity; and 

• an increased amount of customer information being collected and transmitted, 
providing incentives for adversaries to attack these systems and potentially put- 
ting private information at risk of unauthorized disclosure and use. 

In May 2008, we reported that the corporate network of the Tennessee Valley Au- 
thority — the nation’s largest public power company, which generates and distributes 
power in an area of about 80,000 square miles in the southeastern United States — 
contained security weaknesses that could lead to the disruption of control systems 
networks and devices connected to that network. We made 19 recommendations 
to improve the implementation of information security program activities for the 
control systems governing the Tennessee Valley Authority’s critical infrastructures 
and 73 recommendations to address specific weaknesses in security controls. The 
Tennessee Valley Authority concurred with the recommendations and has taken 
steps to implement them. 

We and others have also reported that smart grid and related systems have 
known cyber vulnerabilities. For example, cybersecurity experts have demonstrated 
that certain smart meters can be successfully attacked, possibly resulting in disrup- 
tion to the electricity grid. In addition, we have reported that control systems used 
in industrial settings such as electricity generation have vulnerabilities that could 
result in serious damages and disruption if exploited.^'^ Further, in 2007, the De- 
partment of Homeland Security, in cooperation with the Department of Energy, ran 
a test that demonstrated that a vulnerability commonly referred to as “Aurora” had 
the potential to allow unauthorized users to remotely control, misuse, and cause 
damage to a small commercial electric generator. Moreover, in 2008, the Central In- 
telligence Agency reported that malicious activities against IT systems and net- 
works have caused disruption of electric power capabilities in multiple regions over- 
seas, including a case that resulted in a multicity power outage. As government, 
private sector, and personal activities continue to move to networked operations, the 
threat will continue to grow. 

REPORTED INCIDENTS ILLUSTRATE THE POTENTIAL IMPACT OF CYBER THREATS 

Cyber incidents continue to affect the electricity industry. For example, the De- 
partment of Homeland Security’s Industrial Control Systems Cyber Emergency Re- 
sponse Team recently noted that the number of reported cyber incidents affecting 
control systems of companies in the electricity sector increased from 3 in 2009 to 
26 in 2011. In addition, we and others have reported^® that cyber incidents can af- 
fect the operations of energy facilities, as the following examples illustrate: 

• Smart meter attacks. — In April 2012, it was reported that sometime in 2009 an 
electric utility asked the FBI to help it investigate widespread incidents of 
power thefts through its smart meter deployment. The report indicated that the 
miscreants hacked into the smart meters to change the power consumption re- 
cording settings using software available on the Internet. 

• Phishing attacks directed at energy sector. — The Department of Homeland Se- 
curity’s Industrial Control Systems Cyber Emergency Response Team reported 
that, in 2011, it deployed incident response teams to an electric bulk provider 
and an electric utility that had been victims of broader phishing attacks. The 
team found three malware samples and detected evidence of a sophisticated 
threat actor. 

• Stuxnet. — In July 2010, a sophisticated computer attack known as Stuxnet was 
discovered. It targeted control systems used to operate industrial processes in 
the energy, nuclear, and other critical sectors. It is designed to exploit a com- 
bination of vulnerabilities to gain access to its target and modify code to change 
the process. 

• Browns Ferry power plant. — In August 2006, two circulation pumps at Unit 3 
of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to 
be shut down manually. The failure of the pumps was traced to excessive traffic 
on the control system network, possibly caused by the failure of another control 
system device. 

• Northeast power blackout. — In August 2003, failure of the alarm processor in 
the control system of FirstEnergy, an Ohio-based electric utility, prevented con- 


i^’GAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and 
Networks, GAO-08-526 (Washington, D.C.: May 21, 2008). 
iiGAO-07-1036. 

The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information 
and Communications Infrastructure (Washington, D.C.: May 29, 2009). 

13GAO-07-1036 and GAO-12-92. 
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trol room operators from having adequate situational awareness of critical oper- 
ational changes to the electrical grid. When several key transmission lines in 
northern Ohio tripped due to contact with trees, they initiated a cascading fail- 
ure of 508 generating units at 265 power plants across eight states and a Cana- 
dian province. 

• Davis-Besse power plant. — The Nuclear Regulatory Commission confirmed that 
in January 2003, the Microsoft SQL Server worm known as Slammer infected 
a private computer network at the idled Davis-Besse nuclear power plant in 
Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. In 
addition, the plant’s process computer failed, and it took about 6 hours for it 
to become available again. 

ACTIONS HAVE BEEN TAKEN TO SECURE THE ELECTRICITY GRID, BUT CHALLENGES 

REMAIN 

Multiple entities have taken steps to help secure the electricity grid, including 
NERC, NIST, FERC, and the Departments of Homeland Security and Energy. 
NERC has performed several activities that are intended to secure the grid. It has 
developed eight critical infrastructure standards for protecting electric utility-critical 
and cyber-critical assets. 

The standards established requirements for the following key cybersecurity-re- 
lated controls: critical cyber asset identification, security management controls, per- 
sonnel and training, electronic “security perimeters,” physical security of critical 
cyber assets, systems security management, incident reporting and response plan- 
ning, and recovery plans for critical cyber assets. In December 2011, we reported 
that NERC’s eight cyber security standards, along with supplementary documents, 
were substantially similar to NIST guidance applicable to federal agencies. 

NERC also has published security guidelines for companies to consider for pro- 
tecting electric infrastructure systems, although such guidelines are voluntary and 
typically not checked for compliance. For example, NERC’s June 2010 Security 
Guideline for the Electricity Sector: Identifying Critical Cyber Assets is intended to 
assist entities in identifying and developing a list of critical cyber assets as de- 
scribed in the mandatory standards. NERC also has enforced compliance with man- 
datory cybersecurity standards through its Compliance Monitoring and Enforcement 
Program, subject to FERC review. NERC has assessed monetary penalties for viola- 
tions of its cyber security standards. 

NIST, in implementing its responsibilities under the Energy Independence and 
Security Act of 2007 with regard to standards to achieve interoperability of smart 
grid systems, planned to identify cybersecurity standards for these systems. In Jan- 
uary 2011, we reported^® that it had identified 11 standards involving cybersecurity 
that support smart grid interoperability and had issued a first version of a 
cybersecurity guideline.'^® NIST’s cybersecurity guidelines largely addressed key 
cybersecurity elements, such as assessment of cybersecurity risks and identification 
of security requirements (i.e., controls); however, its guidelines did not address an 
important element essential to securing smart grid systems — the risk of attacks 
using both cyber and physical means. NIST officials said that they intended to up- 
date the guidelines to address this and other missing elements they identified, but 
their plan and schedule for doing so were still in draft form. We recommended that 
NIST finalize its plan and schedule for incorporating missing elements, and NIST 
officials agreed. We are currently working with officials to determine the status of 
their efforts to address these recommendations. 

FERC also has taken several actions to help secure the electricity grid. For exam- 
ple, it reviewed and approved NERC’s eight critical infrastructure protection stand- 
ards in 2008. Since then, in its role of overseeing the development of reliability 
standards, the commission has directed NERC to make numerous changes to stand- 
ards to improve cybersecurity protections. However, according to the FERC Chair- 
man’s February 2012 letter in response to our report on electricity grid moderniza- 
tion, many of the outstanding directives have not been incorporated into the latest 
versions of the standards. The Chairman added that the commission would continue 
to work with NERC to incorporate the directives. In addition, FERC has authorized 
NERC to enforce mandatory reliability standards for the bulk power system, while 
retaining its authority to enforce the same standards and assess penalties for viola- 


1“ GAO-12-92. 

15 GAO-11-117. 

i^NIST Special Publication 1108, NIST Framework and Roadmap for Smart Grid Interoper- 
ability Standards, Release 1.0, January 2010 and NIST Interagency Report 7628, Guidelines for 
Smart Grid Cyber Security, August 2010. 

11 GAO-11-117. 
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tions. We reported in January 2011 that FERC also had begun reviewing initial 
smart grid standards identified as part of NIST efforts. However, in July 2011, the 
commission declined to adopt the initial smart grid standards identified as a part 
of the NIST efforts, finding that there was insufficient consensus to do so. 

The Department of Homeland Security has been designated by federal policy as 
the principal federal agency to lead, integrate, and coordinate the implementation 
of efforts to protect cyber-critical infrastructures and key resources. Under this role, 
the Department’s National Cyber Security Division’s Control Systems Security Pro- 
gram has issued recommended practices to reduce risks to industrial control sys- 
tems within and across all critical infrastructure and key resources sectors, includ- 
ing the electricity subsector. For example, in April 2011, the program issued the 
Catalog of Control Systems Security: Recommendations for Standards Developers, 
which is intended to provide a detailed listing of recommended controls from several 
standards related to control systems. The program also manages and operates the 
Industrial Control Systems Cyber Emergency Response Team to respond to and 
analyze control-systems-related incidents, provide onsite support for incident re- 
sponse and forensic analysis, provide situational awareness in the form of actionable 
intelligence, and share and coordinate vulnerability information and threat analysis 
through information products and alerts. For example, it reported providing on-site 
assistance to six companies in the electricity subsector, including a bulk electric 
power provider and multiple electric utilities, during 2009-2011. 

The Department of Energy is the lead federal agency which is responsible for co- 
ordinating critical infrastructure protection efforts with the public and private 
stakeholders in the energy sector, including the electricity subsector. In this regard, 
we have reported that officials from the Department’s Office of Electricity Delivery 
and Energy Reliability stated that the department was involved in efforts to assist 
the electricity sector in the development, assessment, and sharing of cybersecurity 
standards.'^® For example, the department was working with NIST to enable state 
power producers to use current cybersecurity guidance. In May 2012, the depart- 
ment released the Electricity Subsector Cybersecurity Risk Management Process.^® 
The guideline is intended to ensure that cybersecurity risks for the electric grid are 
addressed at the organization, mission or business process, and information system 
levels. We have not evaluated this guide. 

CHALLENGES TO SECURING ELECTRICITY SYSTEMS AND NETWORKS 

In our January 2011 report, we identified a number of key challenges that indus- 
try and government stakeholders faced in ensuring the cybersecurity of the systems 
and networks that support our nation’s electricity grid.^i These included the fol- 
lowing: 

• There was a lack of a coordinated approach to monitor whether industry follows 
voluntary standards. — ^As mentioned above, under the Energy Independence 
and Security Act of 2007, FERC is responsible for adopting cybersecurity and 
other standards that it deems necessary to ensure smart grid functionality and 
interoperahility. However, FERC had not developed an approach coordinated 
with other regulators to monitor, at a high level, the extent to which industry 
will follow the voluntary smart grid standards it adopts. There had been initial 
efforts by regulators to share views, through, for example, a collahorative dia- 
logue between EERC and the National Association of Regulatory Utility Com- 
missioners, which had discussed the standards-setting process in general terms. 
Nevertheless, according to officials from FERC and the National Association of 
Regulatory Utility Commissioners, FERC and the state public utility commis- 
sions had not established a joint approach for monitoring how widely voluntary 
smart grid standards are followed in the electricity industry or developed strate- 
gies for addressing any gaps. Moreover, FERC had not coordinated in such a 
way with groups representing public power or cooperative utilities, which are 
not routinely subject to FERC’s or the states’ regulatory jurisdiction for rate set- 
ting. We noted that without a good understanding of whether utilities and man- 
ufacturers are following smart grid standards, it would be difficult for FERC 


DHS, National Cyber Security Division, Control Systems Security Program, Catalog of Con- 
trol Systems Security: Recommendations for Standards Developers (April 2011). 

GAO-12-92. 

2®U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, 
DOE/OE-0003 (Washington, D.C.: May 2012). 

21 GAO-11-117. 
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and other regulators to know whether a voluntary approach to standards set- 
ting is effective or if changes are needed.^^ 

• Aspects of the current regulatory environment made it difficult to ensure the 
cybersecurity of smart grid systems. — In particular, jurisdictional issues and the 
difficulties associated with responding to continually evolving cyber threats 
were a key regulatory challenge to ensuring the cybersecurity of smart grid sys- 
tems as they are deployed. Regarding jurisdiction, experts we spoke with ex- 
pressed concern that there was a lack of clarity about the division of responsi- 
bility between federal and state regulators, particularly regarding cybersecurity. 
While jurisdictional responsibility has historically been determined by whether 
a technology is located on the transmission or distribution system, experts 
raised concerns that smart grid technology may blur these lines. For example, 
devices such as smart meters deployed on parts of the grid traditionally subject 
to state jurisdiction could, in the aggregate, have an impact on those parts of 
the grid that federal regulators are responsible for — namely the reliability of the 
transmission system. 

There was also concern about the ability of regulatory bodies to respond to 
evolving cybersecurity threats. For example, one expert questioned the ability 
of government agencies to adapt to rapidly evolving threats, while another high- 
lighted the need for regulations to be capable of responding to the evolving 
cybersecurity issues. In addition, our experts expressed concern with agencies 
developing regulations in the future that are overly specific in their require- 
ments, such as those specifying the use of a particular product or technology. 
Consequently, unless steps are taken to mitigate these challenges, regulations 
may not be fully effective in protecting smart grid technology from cybersecurity 
threats. 

• Utilities were focusing on regulatory compliance instead of comprehensive secu- 
rity. — The existing federal and state regulatory environment creates a culture 
within the utility industry of focusing on compliance with cybersecurity require- 
ments, instead of a culture focused on achieving comprehensive and effective 
cybersecurity. Specifically, experts told us that utilities focus on achieving min- 
imum regulatory requirements rather than designing a comprehensive approach 
to system security. In addition, one expert stated that security requirements are 
inherently incomplete, and having a culture that views the security problem as 
being solved once those requirements are met will leave an organization vulner- 
able to cyber attack. Consequently, without a comprehensive approach to secu- 
rity, utilities leave themselves open to unnecessary risk. 

• There was a lack of security features built into smart grid systems. Security 
features are not consistently built into smart grid devices. — For example, ex- 
perts told us that certain currently available smart meters had not been de- 
signed with a strong security architecture and lacked important security fea- 
tures, including event logging^® and forensics capabilities that are needed to de- 
tect and analyze attacks. In addition, our experts stated that smart grid home 
area networks — used for managing the electricity usage of appliances and other 
devices in the home — did not have adequate security built in, thus increasing 
their vulnerability to attack. Without securely designed smart grid systems, 
utilities may lack the capability to detect and analyze attacks, increasing the 
risk that attacks will succeed and utilities will be unable to prevent them from 
recurring. 

• The electricity industry did not have an effective mechanism for sharing infor- 
mation on cybersecurity and other issues. — The electricity industry lacked an ef- 
fective mechanism to disclose information about cybersecurity vulnerabilities, 
incidents, threats, lessons learned, and best practices in the industry. For exam- 
ple, our experts stated that while the electricity industry has an information 
sharing center, it did not fully address these information needs. In addition. 
President Obama’s May 2009 cyberspace policy review also identified challenges 


22 In an order issued on July 19, 2011, FERC reported that it had found insufficient consensus 
to institute a rulemaking proceeding to adopt smart grid interoperability standards identified 
by NIST as ready for consideration by regulatory authorities. While FERC dismissed the rule- 
making, it encouraged utilities, smart grid product manufacturers, regulators, and other smart 
grid stakeholders to actively participate in the NIST interoperability framework process to work 
on the development of interoperability standards and to refer to that process for guidance on 
smart grid standards. Despite this result, we believe our recommendations to FERC in GAO- 
11-117, with which FERC concurred, remain valid and should be acted upon as consensus is 
reached and standards adopted. 

23 Event logging is a capability of an IT system to record events occurring within an organiza- 
tion’s systems and networks, including those related to computer security. 
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related to cybersecurity information sharing within the electric and other crit- 
ical infrastructure sectors and issued recommendations to address them.^^ Ac- 
cording to our experts, information regarding incidents such as both unsuccess- 
ful and successful attacks must be able to be shared in a safe and secure way 
to avoid publicly revealing the reported organization and penalizing entities ac- 
tively engaged in corrective action. Such information sharing across the indus- 
try could provide important information regarding the level of attempted cyber 
attacks and their methods, which could help grid operators better defend 
against them. If the industry pursued this end, it could draw upon the practices 
and approaches of other industries when designing an industry-led approach to 
cybersecurity information sharing. Without quality processes for information 
sharing, utilities will not have the information needed to adequately protect 
their assets against attackers. 

• The electricity industry did not have metrics for evaluating cybersecurity. — The 
electricity industry was also challenged by a lack of cybersecurity metrics, mak- 
ing it difficult to measure the extent to which investments in cybersecurity im- 
prove the security of smart grid systems. Experts noted that while such 
metrics^® are difficult to develop, they could help compare the effectiveness of 
competing solutions and determine what mix of solutions combine to make the 
most secure system. Furthermore, our experts said that having metrics would 
help utilities develop a business case for cybersecurity by helping to show the 
return on a particular investment. Until such metrics are developed, there is 
increased risk that utilities will not invest in security in a cost-effective manner, 
or have the information needed to make informed decisions on their 
cybersecurity investments. 

To address these challenges, we made recommendations in our January 2011 re- 
port. To improve coordination among regulators and help Congress better assess the 
effectiveness of the voluntary smart grid standards process, we recommended that 
the Chairman of FERC develop an approach to coordinate with state regulators and 
with groups that represent utilities subject to less FERC and state regulation to (1) 
periodically evaluate the extent to which utilities and manufacturers are following 
voluntary interoperability and cybersecurity standards and (2) develop strategies for 
addressing any gaps in compliance with standards that are identified as a result 
of this evaluation. We also recommended that FERC, working with NERC as appro- 
priate, assess whether commission efforts should address any of the cybersecurity 
challenges identified in our report. FERC agreed with these recommendations. 

Although FERC agreed with these recommendations, they have not yet been im- 
plemented. According to the FERC Chairman, given the continuing evolution of 
standards and the lack of sufficient consensus for regulatory adoption, commission 
staff believe that coordinated monitoring of compliance with standards would be 
premature at this time, and that this may change as new standards are developed 
and deployed in industry. We believe that it is still important for FERC to improve 
coordination among regulators and that consensus is reached on standards. We will 
continue to monitor the status of its efforts to address these recommendations. 

In summary, the evolving and growing threat from cyber-based attacks highlights 
the importance of securing the electricity industry’s systems and networks. A suc- 
cessful attack could result in widespread power outages, significant monetary costs, 
damage to property, and loss of life. The roles of NERC and FERC remain critical 
in approving and disseminating cybersecurity guidance and enforcing standards, as 
appropriate. Moreover, more needs to be done to meet challenges facing the industry 
in enhancing security, particularly as the generation, transmission, and distribution 
of electricity comes to rely more on emerging and sophisticated technology. 

Chairman Bingaman, Ranking Member Murkowski, and Members of the Com- 
mittee, this concludes my statement. I would be happy to answer any questions you 
may have at this time. 
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24 The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information 
and Communications Infrastructure (Washington, D.C.: May 29, 2009). 

25 Metrics can be used for, among other things, measuring the effectiveness of cybersecurity 
controls for detecting and blocking cyber attacks. 
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Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Ap- 
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Information Security: TVA Needs to Address Weaknesses in Control Systems and 
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Meeting Energy Demand in the 21st Century: Many Challenges and Key Ques- 
tions. GAO-05-414T. Washington, D.C.: March 16, 2005. 

The Chairman. Thank you very much. 

Mr. Cauley. 

STATEMENT OF GERRY CAULEY, PRESIDENT AND CHIEF EX- 
ECUTIVE OFFICER, NORTH AMERICAN ELECTRIC RELI- 
ABILITY CORPORATION 

Mr. Cauley. Thank you, and good morning, Chairman Binga- 
man, and Ranking Member Murkowski, and members of the com- 
mittee, and fellow panelists. My name is Gerry Cauley. I am the 
President and CEO of the North American Electric Reliability Cor- 
poration. 

When we go about our business for reliability and security of the 
power grid, we think, first, of the customers and rate payers and 
citizens that we serve. When I do that, we think about 4 principles. 
First of all, focus on really big important reliability problems find 
solutions, and fix them. 

Second, we apply principles of using risk-based approaches to 
make sure that we are prioritizing effectively and that we are com- 
ing up with cost-effective solutions. 
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Third, we focus on the learning industry. So, we are continually 
adapting and developing reliability solutions and learning from ex- 
perience. 

Finally, we hold the industry accountable, as well as ourselves, 
to produce reliability results. 

This approach works really well in conventional risks, such as 
storm outages, equipment failures, human factors, errors, and 
those kinds of things. I think the approach also works well in the 
arena of cyber and physical security. 

One of the big differences, however, in security is we are often 
challenged by the lack of information, and this is where, in cyber, 
the partnership between industry and Government, in terms of in- 
formation sharing, to help us understand those risks and be able 
to adapt to them, is very important. 

So, our strategy for security recognizes that a perfect defense 
against the bad guys is not achievable nor necessarily affordable. 
So what we have to do is combine defense strategies, such as 
through our standards, as well as resilience, and adapting and en- 
hancing the existing resilience of the bulk power system. 

So, our strategy includes several activities. The first is in the — 
having a base set of standards that ensure the protection of the 
grid. We promote and are involved in active information sharing 
between industry and Government, and among industry, and 
among critical infrastructure sectors. We are focused on training 
and exercising and testing our ability to perform well under secu- 
rity challenges. We are continually assessing the reliability and se- 
curity of the system, looking at emerging issues and emerging 
threats. We are working with Government agencies to develop solu- 
tions for security and also addressing cross-sector dependencies. 

I did previously testify in front of the committee in May 2011, 
and I would just like to briefly review some of the changes and 
some of the activities that we have completed since that time. 

First, in the area of standards — and I appreciate the Chairman 
pointing out that the electric power industry and the nuclear power 
industries are the only two critical infrastructures that do have 
mandatory standards and enforceable standards that are in place 
and that are working. 

It was mentioned that we — the Commission just recently ap- 
proved version 4, which includes a bright-line criteria, in terms of 
which facilities are required to be included within those standards. 
We are currently working on what I believe will be a plateau of se- 
curity for us in version 5, where we are adopting NIST’s risk con- 
trols into our standards, and we will have those completed and 
filed with the Commission by the end of the first quarter in 2013. 

In addition to the standards, we also have a very rigorous pro- 
gram on compliance. Since 2008, we have conducted over 500 au- 
dits of individual companies, sending teams onsite, finding various 
findings and recommendations and things that need to be cor- 
rected. We also have the industry under a very aggressive program 
to monitor the remediation of those issues. 

A third area is in the area of information sharing and analysis. 
This is our way of addressing near-term issues and risks that 
emerge continuously. There is a parallel that — if you look at — 
Microsoft essentially publishes on the second Tuesday of each 
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month for patches and vulnerabilities that have been identified 
over the previous month. That is essentially an approach that we 
need to take in terms of emerging risks and threats that come in 
that might be — need to be addressed on a matter of hours or days. 

We use our information sharing process, issue alerts. We were 
able to get an agreement signed with Homeland Security to gain 
us access to the National Cybersecurity and Communications Inte- 
gration Center, the NCCIC, and we have a secure portal up and 
running that allows the sharing of information. We have got over 
500 companies that are actively engaging, in terms of posting and 
using that information. Our alerts that we’re able to issue go to all 
1,900 companies that are affected by the bulk power system. 

Another area where we work actively is in the area of partnering 
with Federal partners. We have developed best practices guide- 
lines, based on NTS practices with Department of Energy. We also 
worked on the White House Initiative to develop a risk manage- 
ment maturity model, and we recently issued 4 reports on resil- 
ience, severe cyber attack, and GMD. 

So, in conclusion, I think our framework of standards, informa- 
tion sharing, and partnering with Government is the approach that 
will be most successful in cybersecurity. 

Thank you. 

[The prepared statement of Mr. Cauley follows:] 

Prepared Statement of Gerry Cauley, President and Chief Executive 
Officer, North American Electric Reliability Corporation 

introduction 

Good morning Chairman Bingaman, Ranking Member Murkowski, members of 
the Committee and fellow panelists. My name is Gerry Cauley and I am the Presi- 
dent and CEO of the North American Electric Reliability Coimoration (NERC). 
NERC was designated the Electric Reliability Organization (ERO) by the Federal 
Energy Regulatory Commission (FERC) in accordance with Section 215 of the Fed- 
eral Power Act (FPA), enacted by the Energy Policy Act of 2005. NERC’s reliability 
standards are mandatory and enforceable within the US for the bulk power system 
and include Critical Infrastructure Protection (CIP) Standards. To date, these stand- 
ards (and those promulgated by the Nuclear Regulatory Commission) are the only 
mandatory cybersecurity standards in place across the critical infrastructures of the 
United States. NERC’s mission is to ensure the reliability of the bulk power system 
of North America and promote reliability excellence with accountability for stand- 
ards and compliance, risks to reliability and continued coordination and collabora- 
tion with public and private sector partners. I testified on this subject before this 
Committee in May 2011, and I appreciate the opportunity to update the Committee 
on NERC’s activities related to cybersecurity. These activities include, but are not 
limited to: 

1. Receiving FERC approval of NERC’s Critical Cyber Asset Identification 
standards (CIP-002 version 4); 

2. Beginning work on a comprehensive revision to the cybersecurity stand- 
ards, leveraging lessons learned from previous versions; 

3. Issuing eight additional alerts related to cybersecurity concerns; 

4. Developing a risk management process guideline to help utilities better un- 
derstand their cybersecurity risks, assess severity, and allocate resources more 
efficiently to manage those risks; 

5. Completing the first phase of the High-Impact Low-Frequency Task Force 
reports identifying recommendations for owners and operators with respect to 
addressing severe impact resilience, cyber attacks, spare equipment, and geo- 
magnetic disruptions; 

6. Facilitating the first-ever Grid Security Exercise (GridEx) for the Elec- 
tricity Sub-sector in North America; and 

7. Participating in government partnership initiatives, including the Depart- 
ment of Homeland Security’s (DHS) National Level Exercise series and various 
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cybersecurity forums and briefings with Canadian government agencies, as well 
as the White House-initiated, Department of Energy (DOE)-led Electricity Sub- 
sector Cybersecurity Risk Management Maturity Model, which will support on- 
going development and measurement of cybersecurity capabilities within the 
sub-sector; 


THE CYBERSECURITY CHALLENGE FOR THE GRID 

As a result of society’s growing dependence on electricity, the electric grid is one 
of the Nation’s most critical infrastructures. The bulk power system in North Amer- 
ica is one of the largest, most complex, and most robust systems ever created. As 
CEO of the organization charged with ensuring the reliability and security of the 
North American grid, I remain deeply concerned about the changing risk landscape 
from conventional risks, such as extreme weather and equipment failures, to new 
and emerging risks where we are left to imagine scenarios that might occur and pre- 
pare to avoid or mitigate the consequences. Some of those consequences could be 
much more severe than we have previously experienced. I am most concerned about 
coordinated physical and cyber attacks intended to disable elements of the power 
grid or deny electricity to specific targets, such as government or business centers, 
military installations, or other infrastructures. These threats differ from conven- 
tional risks in that they result from intentional actions by adversaries and are not 
simply random failures or acts of nature. 

To explore the impacts of this changing risk landscape from the view of the newer 
emerging risks, NERC has worked with industry and government to better under- 
stand cybersecurity risks and manage those risks. Based on all of the work NERC 
has been involved in to date, it is clear that the most effective approach against ad- 
versaries exploiting the newer risk landscape is through thoughtful application of 
resiliency principles. Resiliency requires proactive readiness for whatever may come 
our way and includes robustness; the ability to minimize consequences in real-time; 
the ability to restore essential services; and the ability to adapt and learn. 

NERC MEASURES TO ADDRESS CYBERSECURITY THREATS AND VULNERABILITIES 

NERC has incorporated these resiliency elements in our strategic approach to en- 
suring reliability of the hulk power system. This strategic approach includes: 1) de- 
veloping mandatory and enforceable standards; 2) ensuring compliance and audit 
oversight; 3) sharing and analyzing information and issuing Alerts from the Elec- 
tricity Sector Information Sharing and Analysis Center (ES-ISAC); 4) engaging in 
private-public partnerships; and 5) conducting outreach, training, and education ac- 
tivities within and external to the bulk power system. Only through these critical 
infrastructure protection components can we achieve a balanced approach to guard 
against advanced persistent threats to grid cybersecurity and mitigate 
vulnerabilities. 


RELIABILITY STANDARDS 

In 2007, FERC designated NERC the ERO in accordance with Section 215 of the 
Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC’s ap- 
proval, NERC’s reliability standards became mandatory within the US. These man- 
datory reliability standards include CIP Standards 001 through 009, which address 
the security of cyber assets essential to the reliable operation of the electric grid. 
To date, these standards (and those promulgated by the Nuclear Regulatory Com- 
mission) are the only mandatory cybersecurity standards in place across the critical 
infrastructures of the US. Subject to FERC oversight, NERC and its Regional Entity 
partners enforce these standards, developed with substantial input from industry 
and approved by FERC, to accomplish our mission to ensure the reliability of the 
electric grid. 

NERC’s nine mandatory CIP standards address the following areas: 

• Standard CIP-001: Covers Sabotage Reporting. 

• Standard CIP-002: Requires the identification and documentation of the Critical 
Cyber Assets associated with the Critical Assets that support the reliable oper- 
ation of the Bulk Electric System. 

• Standard CIP-003: Requires that Responsible Entities have minimum security 
management controls in place to protect Critical Cyber Assets. 

• Standard CIP-004: Requires that personnel with access having authorized cyber 
or authorized unescorted physical access to Critical Cyber Assets, including con- 
tractors and service vendors, have an appropriate level of personnel risk assess- 
ment, training, and security awareness. 
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• Standard CIP-005: Requires the identification and protection of the Electronic 
Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as 
all access points on the perimeter. 

• Standard CIP-006: Addresses implementation of a physical security program for 
the protection of Critical Cyber Assets. 

• Standard CIP-007: Requires Responsible Entities to define methods, processes, 
and procedures for securing those systems determined to be Critical Cyber As- 
sets, as well as the other (non-critical) Cyber Assets within the Electronic Secu- 
rity Perimeter(s). 

• Standard CIP-008: Ensures the identification, classification, response, and re- 
porting of Cyber Security Incidents related to Critical Cyber Assets. 

• Standard CIP-009: Ensures that recovery plan(s) are put in place for Critical 
Cyber Assets and that these plans follow established business continuity and 
disaster recovery techniques and practices. 

In December 2010, NERC approved an enhancement to its Critical Cyber Asset 
Identification standard (CIP-002 version 4) that establishes bright-line criteria for 
the identification of critical assets. This enhanced standard was filed with the Fed- 
eral Energy Regulatory Commission (FERC) in February 2011, and FERC approved 
the standard on April 19, 2012. The implementation of the CIP standards under the 
bright-line approach is currently underway. 

In addition, industry is currently developing a comprehensive revision to the 
cybersecurity Standards. The revision leverages experience with existing CIP stand- 
ards to enhance the industry’s protections against cyber threats and vulnerabilities, 
including transitioning the classification of critical assets to a “low-medium-high” 
impact-based system. The revised CIP standards will also provide greater flexibility 
in implementing solutions to emerging cyber threats. The revised CIP standards 
have been improved to remove technology-specific requirements by replacing them 
with a risk-based approach to implementing appropriate and changing technologies. 
That is, rather than specifying how to implement a requirement, the revised re- 
quirements specify the risk-based result that must be achieved, which enables in- 
dustry to implement new and emerging technologies to address the risk. 

NERC can use an emergency standards development process if circumstances 
warrant. In addition, FERC can order NERC to develop or modify a reliability 
standard to address a specific matter. ^ Finally, the NERC Board of Trustees can di- 
rect NERC to develop and adopt a standard in response to a EERC directive and 
timetable if the Board determines that the regular standards process is not suffi- 
ciently responsive to the Commission. 

Under the emergency standards process, FERC has authorized NERC to use an 
expedited standards development process to meet urgent reliability issues. These 
special standards can be developed on an expedited, confidential basis to address 
imminent or longer-term national security threats. NERC has practiced using this 
expedited, confidential process as part of GridEx. 

In addition to developing mandatory reliability standards, NERC supports the 
ERO’s Regional Entities to improve the consistency of compliance program results, 
improve risk-based approaches for auditing and spot checking, and promote a cul- 
ture of security and compliance through education, transparency, and incentives. 
Specifically, we conduct audit oversight of the Regional Entities’ compliance audit 
teams during audits of registered entities, and maintain oversight throughout the 
entire audit process (pre-audit, on-site, and post audit) in accordance with the audit 
oversight program. During this process, NERC seeks to capture compliance applica- 
tions, positive observations, lessons learned, and recommendations. NERC’s audit 
oversights are designed to perform a thorough evaluation of the processes and cri- 
teria used by all Regional Entities in their determination of registered entities’ com- 
pliance with the NERC Reliability Standards, including the CIP Standards. 

Compliance with the NERC CIP standards is an important threshold for properly 
securing the bulk electric system. However, no single security asset, technique, pro- 
cedure, or standard — even if strictly followed — will protect an entity from all poten- 
tial cyber threats. The cybersecurity threat environment is constantly changing and 
our defenses must keep pace. Security best-practices call for additional processes, 
procedures, and technologies beyond those required by the CIP standards. 


1 FERC can order NERC to develop a proposed reliability standard or a modification to a reli- 
ability standard to address a specific matter (such as a cyber threat or vulnerability) under FPA 
Section 215(d) (5). 
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THE ES-ISAC AND NERC ALERTS 

Not all vulnerabilities can or should be addressed through a reliahility standard. 
In such cases, NERC Alerts are a key element in critical infrastructure protection. 
To address cyber challenges not covered under the CIP Standards, NERC works 
through its ES-ISAC to inform the industry and recommend mitigation actions. 

The ES-ISAC gathers information from disparate electric industry participants 
about security-related events, disturbances, and off-normal occurrences within the 
Electricity Sub-sector and shares that information with key governmental entities. 
In turn, these governmental entities provide the ES-ISAC with information regard- 
ing risks, threats, and warnings which the ES-ISAC is then responsible for dissemi- 
nating throughout the Electricity Sub-sector. The two functions that the ES-ISAC 
supports, information sharing and analytics, are vitally important to all other crit- 
ical infrastructures and key resource sectors that have active ISACs. Effective col- 
laboration and communication is essential to addressing infrastructure protection 
and resilience within each sector, as well as the important interdependencies that 
exist among sectors. 

NERC staff with appropriate security clearances often work with cleared per- 
sonnel from Federal agencies to communicate unclassified sensitive information to 
the industry. As defined in NERC’s Rules of Procedure, the ES-ISAC developed the 
following three levels of Alerts for formal notice to industry regarding security 
issues: 

• Industry Advisory. — Purely informational, intended to alert registered entities 
to issues or potential problems. A response to NERC is not necessary. 

• Recommendation to Industry. — Recommends specific action be taken by reg- 
istered entities. Requires a response from recipients as defined in the Alert. 

• Essential Action. — Identifies actions deemed to be “essential” to bulk power sys- 
tem reliability and requires NERC Board of Trustees approval prior to issuance. 
Like recommendations, essential actions require recipients to respond as de- 
fined in the Alert. 

The risk to the hulk power system determines selection of the appropriate Alert 
notification level. Generally, NERC distributes Alerts broadly to users, owners, and 
operators of the bulk power system in North America utilizing its Compliance Reg- 
istry. Entities registered with NERC are required to provide and maintain up-to- 
date compliance and cyber security contacts. NERC also distributes the Alerts be- 
yond the users, owners and operators of the bulk power system, to include other 
electricity industry participants who need the information. Alerts may also be tar- 
geted to groups of entities based on their NERC-registered functions (e.g.. Balancing 
Authorities, Transmission Operators, Generation Owners, etc.). 

Alerts are developed with the strong partnership of Federal technical organiza- 
tions, including DHS and DOE National Laboratories, and bulk power system sub- 
ject matter experts, called the HYDRA team. NERC has issued 22 CiP-related 
Alerts since January 2010 (20 Industry Advisories and two Recommendations to In- 
dustry). Those Alerts covered items such as Aurora, Stuxnet, Night Dragon, and the 
reporting of suspicious activity. Responses to Alerts and mitigation efforts are iden- 
tified and tracked, with follow-up provided to individual owners and operators and 
key stakeholders. In addition, NERC released one Joint Product CIP Awareness 
Bulletin in collahoration with DOE, DHS and the Federal Bureau of Investigation 
(FBI) titled, “Remote Access Attacks: Advanced Attackers Compromise Virtual Pri- 
vate Networks (VPN).” 

The NERC Alert system is working well. It is known by industry, handles con- 
fidential information, and does so in an expedited manner. The information needed 
to develop the Alert is managed in a confidential and expedited manner and does 
not require a NERC balloting process. Information sharing through the ES-ISAC is 
the greatest asset we have to combat emerging threats to cybersecurity and help 
ensure the reliability of the bulk power system. As a result, NERC has been enhanc- 
ing the ES-ISAC’s capabilities by building out a private, secure portal to receive vol- 
untary reports from industry members and working with various organizations 
(both industry and government) to obtain the data and mechanisms necessary to 
conduct these information sharing activities. 

Anything Congress can do to further facilitate information sharing between the 
public and private sector would add greatly to these efforts. Some actions may in- 
clude: making more clearances available to industry, identifying alternative methods 
to communicate classified information to our Canadian partners, and encouraging 
increased information sharing by US Government departments and agencies with 
asset-owners. 
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NERC’S PUBLIC-PRIVATE PARTNERSHIPS TO ENHANCE GRID CYBERSECURITY 

As mentioned, NERC has developed several strong relationships with industry 
and government entities. As chair of the Electricity Sub-sector Coordinating Council 
(ESCC), I work with industry CEOs and our partners within the government, in- 
cluding the Department of Defense, DOE, and DHS, to identify, discuss, and resolve 
critical infrastructure protection policy, process, and resource issues. This type of 
public-private partnership is essential to effective cybersecurity protection by facili- 
tating information sharing about cyber-related vulnerabilities and threats. 

Last year, NERC signed a Cooperative Research and Development Agreement 
with DHS that provides ES-ISAC staff with access to DHS’ National Cybersecurity 
and Communications Integration Center (NCCIC). Access to the classified NCCIC 
facilitates a significantly improved bi-directional sharing of critical infrastructure 
protection information between the US government and the Electricity Sub-sector 
in North America. NERC has also recently established a protected communications 
corridor for the ES-ISAC in part to facilitate this bi-directional information sharing 
between the DHS NCCIC and BPS entities. 

NERC also provides leadership to three significant DHS-affiliated public-private 
partnerships. These groups are: 

• Partnership for Critical Infrastructure Security, the senior-most policy coordina- 
tion group between public and private sector organizations comprised of the 
chairs or co-chairs of all 18 critical infrastructure and key resources sectors and 
their Government Coordinating Council counterparts; 

• Cross-Sector Cyber Security Working Group, which was established to coordi- 
nate cross-sector initiatives that promote public and private efforts to help en- 
sure secure, safe, and reliable critical infrastructure services; and 

• Industrial Control Systems Joint Working Group, which is a cross-sector indus- 
trial control systems working group that focuses on the areas of education, 
cross-sector strategic roadmap development, and coordinated efforts to develop 
better vendor focus on security needs for industrial control systems. 

NERC also collaborates with the Industrial Control Systems Cyber Emergency 
Response Team to share threat, vulnerability, and security incident information. 

As part of NERC’s outreach and awareness efforts to engage industry and govern- 
ment in addressing some of the key cybersecurity challenges we face, NERC facili- 
tated the first-ever Grid Security Exercise (GridEx) for the Electricity Sub-sector in 
North America. This distributed play exercise, which was held in November 2011, 
was designed to validate the readiness of the Electricity Sub-sector to respond to 
a cyber incident, strengthen utilities’ crisis response functions, and provide input for 
internal security program improvements. Seventy-five industry and government or- 
ganizations from the US and Canada participated in GridEx. BPS entities included 
generation and transmission owners, reliability coordinators, independent system 
operators, and balancing authorities. Key government agencies, such as DHS, FBI, 
and DOE, were also heavily involved. GridEx provided a realistic environment for 
organizations to assess their cyber response capabilities. The biennial exercise was 
viewed across industry and government as a training success in preparing the BPS 
for a disruptive security event. NERC issued a final report in March 2012, and is 
applying the GridEx recommendations to further strengthen the bulk power sys- 
tem’s preparedness and response mechanisms. 

Given the heightened awareness of security in the Electricity Sub-sector, NERC 
hosts an annual Grid Security Conference (GridSecCon) to discuss emerging threats, 
industry best practices, and provide cutting edge training to the industry. NERC 
will again host this conference in October 2012, and will bring together cyber and 
physical security thought leaders from government and industry to discuss securing 
industrial control systems, social engineering attacks, and security event response 
management, among other topics. 


CONCLUSION 

As outlined today, NERC has many tools available, including critical infrastruc- 
ture protection standards and processes and the ES-ISAC, to address imminent and 
non-imminent threats and vulnerabilities. We work with multiple government, in- 
dustry, and consumer partners to support a coordinated comprehensive effort to ad- 
dress cybersecurity. 

We appreciate this opportunity to discuss NERC’s activities on cybersecurity with 
the committee related to cybersecurity protection of the grid. 

The Chairman. Thank you very much. 

Mr. Snitchler, go right ahead. 
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STATEMENT OF TODD A. SNITCHLER, CHAIRMAN, PUBLIC 
UTILITIES COMMISSION OF OHIO 

Mr. Snitchler. Good morning. Chairman Bingaman, Ranking 
Member Murkowski, and members of the committee, I want to 
thank you for the opportunity to appear before you today as we ex- 
amine the status of actions taken to ensure that the electric grid 
is protected from cyber attacks. My name is Todd Snitchler, and I 
am the Chairman of the Public Utilities Commission of Ohio. 

Our State agency is responsible for assuring residential and busi- 
ness customers access to adequate, safe, and reliable utility service 
at fair prices, ensuring the financial integrity and service reliability 
of the Ohio utility industry and, among other things, promoting 
utility infrastructure investments, including investments in IT in- 
frastructure. I am pleased to have the opportunity to discuss 
cybersecurity issues for the electric grid; because, often times, we 
take that grid for granted. 

Should Congress decide to pass legislation on cybersecurity, how- 
ever, it is my view that we must distinguish between imminent 
threats, which require immediate action, and vulnerabilities, which 
can be addressed and resolved more deliberately. Particularly, re- 
garding the electricity grid, one-size solutions for cybersecurity may 
not be the most effective means to mitigate and reduce known 
vulnerabilities. 

Additionally, the desired outcome from such legislation should be 
the establishment of a foundation that contemplates 4 basic consid- 
erations. First, we need to protect diamonds like diamonds and ap- 
ples like apples. That is, we must prioritize accordingly to ensure 
that the appropriate level of security is provided to all areas that 
require protection. 

Second, States and the owners of critical infrastructure that we 
regulate cannot protect the infrastructure to the maximum extent 
possible, unless the relevant Federal agencies provide the action- 
able information necessary to identify and address the threat or 
vulnerability. In other words, true information sharing between 
those who have the information and those who need the informa- 
tion to protect their systems. 

Third, our utilities can provide a gold-plated, or even a platinum- 
plated, system which is ultra-cyber secure. However, this raises the 
question of just how much do we want a kilowatt hour of electricity 
to cost. 

Fourth, preparedness should not focus solely on response capa- 
bilities, but should also ensure that resilience is built into the in- 
frastructure. Our Nation’s utilities — municipal-, cooperative-, and 
investor-owned — have done this country proud in responding to the 
greatest calamities and catastrophes, quickly, and capably restor- 
ing power after significant storms, earthquakes, wildfires, or even 
acts of terrorism. 

As a State regulator, my fellow commissioners and I, as well as 
our staff, have many responsibilities. Some items of significance 
today are resolved and become less significant down the road, and 
other items that are less significant today may become a issue of 
paramount importance in the near future, with a major change, for 
instance, in weather or technology. This is true for many things. 
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including the provision of electricity in a safe, reliable, and eco- 
nomic fashion. 

Just as utilities cannot protect against all threats, neither can 
they eradicate all susceptibilities. We must recognize there are dif- 
ferent parts of these systems that require different levels of protec- 
tion. This is why we must ensure there is adequate protection of 
the grid, especially its most valuable parts, while we must not ex- 
pend undue levels of resources protecting other less important 
parts of the system. 

Another point of consideration that must be recognized is that 
State agencies, like the PUCO, along with owners of that critical 
infrastructure, are unable to provide the full measure of protection 
necessary to help secure the critical infrastructure if the relevant 
agencies are not providing that actionable information to address 
imminent threats. 

State regulators take the reliability and security of the bulk 
power system very seriously. Through strong. Federal, State, pub- 
lic, and private partnerships, we have consistently maintained and 
improved reliability and security of the grid. 

Cybersecurity is an emerging area of risk for our utilities and for 
State commissions as well. Although, it is unique in some respects, 
this is not the first time that our State utility systems have faced 
reliability threats. Through a strong, public-private partnership, we 
have overcome past risks. It is my belief that this emerging of in- 
formation systems into the electric and other utility sectors will im- 
prove the resilience, reliability, and efficiency. 

Cooperation and acceptance of responsibility is a must. With 
modern threats becoming apparent to us in the last several years, 
we understand that our traditional responsibility to ensure reliable 
service must include the need to ensure security, both physical and 
cyber. 

Over the past several years. State commissions have begun to 
probe the cyber preparedness of our utility companies in the realm 
of the smart grid. In concept, the smart grid has the potential to 
provide many improvements in situational awareness, prevention, 
management, and restoration. In spite of introducing new weak- 
nesses, smart grid fundamentally makes the electric system more 
secure. 

In each of the areas that I have identified in my testimony, steps 
are being taken to manage the risk. The issue is how much money 
should be put into this effort when it is virtually impossible to stop 
all attacks, but vitally important to stop some. 

Smart grid poses an additional and particularly thorny policy 
issue, as well. Through NARUC’s collaborative with FERC on 
smart grid and other activities. State commissions have begun to 
identify key areas to assure the smart grid investments boast the 
highest, most sophisticated levels of security. Commissions, there- 
fore, have had to become more expert in our understanding of the 
prudent smart grid and cybersecurity investments. 

In Ohio, for instance, an extensive audit was recently performed 
on one of our utilities that complied with the NISTIR 7628, and in- 
dustry best practices that were to identify potential areas of im- 
provement were set forth. This effort was massive and will become 
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a best practices model for other commissions and utilities in their 
cybersecurity analyses and efforts. 

My testimony also lists a significant number of activities that 
have been undertaken by the Ohio Commission, in our effort to be- 
come more advanced in our understanding of cybersecurity issues. 
I also identify several other States, including, Pennsylvania, Texas, 
Missouri, and New York, who are also making active steps to try 
and increase their understanding, as well. 

A long-standing mission of eveiy State public utility is to ensure 
the physical viability of the utility plan under our supervision. A 
less traditional responsibility, that of cybersecurity and information 
systems standards and development, is increasingly being thrust 
into the mix, and this newer responsibility clearly envelops a 
broader range of industries and specific expertise. 

I see that I’m out of time, and the rest of my comments are in 
our written testimony. 

Thank you. 

[The prepared statement of Mr. Snitchler follows:] 

Prepared Statement of Todd A. Snitchler, Chairman, Public Utilities 
Commission of Ohio 

Chairman Bingaman, Ranking Member Murkowski, and Members of the Com- 
mittee, thank you for this opportunity to appear before you today as you examine 
the status of action taken to ensure that the electric grid is protected from cyber 
attacks. My name is Todd Snitchler, and I am the Chairman of the Public Utilities 
Commission of Ohio (PUCO), the State agency responsible for: 

• assuring residential and business consumers access to adequate, safe, and reli- 
able utility services at fair prices; 

• ensuring financial integrity and service reliability in the Ohio utility industry; 

• promoting utility infrastructure investments (including investments in IT infra- 
structure); and, 

• related items like fostering of competition, safety, and even mediation respon- 
sibilities. 

I am pleased to have been given this opportunity to discuss cybersecurity issues 
for the electric grid. We take for granted the reliability of our nation’s grid and we 
are hyper-sensitive when we lose power because we are not generally accustomed 
to it — nor should we be. 

Should Congress decide to pass legislation on cybersecurity, however, it must dis- 
tinguish between imminent threats, which require immediate action, and 
vulnerabilities, which can be addressed and resolved more deliberately. Particularly 
regarding the electric grid, one-size solutions for cybersecurity may not be the most 
effective means to mitigate and reduce known vulnerabilities. Additionally, the de- 
sired outcome for such legislation should be the establishment of a foundation that 
contemplates at least four basic considerations. 

First, let us protect diamonds like diamonds and apples like apples. That is, we 
must prioritize accordingly to ensure that the appropriate level of security is pro- 
vided to all areas that require protection. 

Second, States and the owners of the critical infrastructure we regulate cannot 
protect the infrastructure to the meiximum extent possible unless relevant Federal 
agencies provide the actionable information necessary to identify and address the 
threat and/or vulnerabilities — in other words true information sharing between 
those that have critical information (the Federal agencies) and those that need such 
information to protect their systems. 

Third, our utilities can provide a “gold-plated” or even a “platinum-plated” system 
which is ultra-cyber secure. However, this raises the question of just how much 
more do we want a kilowatt hour of electricity to cost? While we understand that 
if the lights are not on it does not matter what the cost of the electricity is, do we 
really want the critical infrastructure to be so expensive that due to cost constraints 
it is no longer considered critical? 

Fourth, preparedness should not focus solely on response capabilities, but should 
also ensure that resilience is built into our infrastructure — our nation’s utilities 
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(municipal, cooperative, and investor-owned) have done this country proud in re- 
sponding to the greatest calamities and catastrophes, quickly and capably restoring 
power after significant storms, hurricanes, earthquakes, wildfires, and even acts of 
terrorism. 

As a State regulator, my fellow Commissioners and I, as well as our Staff, have 
many responsibilities. Some items of significance today are resolved and become less 
significant down the road. Other items that are less significant today may become 
of paramount importance in the near future with a major change in one variable 
like weather, for instance. This is true for many things, including the provision of 
electricity in a safe, reliable and economic fashion. Focusing on reliability, there are 
many factors that impact that aspect — physical infrastructure in place and oper- 
ational considerations, such as generators, wires, substations, transformers, and me- 
ters. Also greatly impacting reliability is equipment failure. Equipment may fail due 
to its age, its overuse or underuse, physical vulnerabilities, and as we are aware, 
perhaps due to cyber vulnerabilities. Many of these vulnerabilities have existed and 
are known, while other weaknesses are more recently being better understood. Just 
as the electric utilities cannot protect against all threats, neither can they eradicate 
all susceptibilities. But we must recognize there are different parts of these systems 
that require different levels of protection. This is why we must ensure that there 
is adequate protection for the electric grid, especially the most valuable parts, while 
we must not expend undue levels of resources in protecting other, less important 
parts of the system. 

Another important point of consideration that must be recognized is that State 
agencies like the PUCO, along with the owners of our critical infrastructure, are un- 
able to provide the full measures of protection necessary to help secure our nation’s 
critical infrastructure if the relevant Federal agencies do not provide actionable in- 
formation to address imminent threats. State regulators take the reliability and se- 
curity of the bulk-power system very seriously. Through strong Federal, State, pub- 
lic, and private partnerships, we have consistently maintained and improved reli- 
ability and security of the grid. As times and technologies have changed, new risks 
and vulnerabilities have emerged. The transition to a smarter, more efficient grid — 
while full of promise — carries with it unforeseen concerns and unintended con- 
sequences. As Congress considers legislation in this area, it should build on existing 
Federal-State coordination and result in a framework where vulnerabilities to the 
system are identified, prioritized, and resolved in a timely fashion. 

However, identification of vulnerabilities is only one part of the main equation; 
equally, or even more importantly, is a need by the States and especially by the 
asset owners to recognize the threats to the nation’s grid. We hear consistently from 
asset owners who provide information about their systems to Federal agencies in 
the spirit of cooperation, all the while seeking reciprocity, yet they never receive 
truly meaningful, actionable, timely information in return. They cannot protect all 
of their systems against everything; none of us can. They have to target their de- 
fenses and we have to help them understand the actionable threats so that they 
may bolster their defenses where needed. 

As with most sectors of the economy, information systems are rapidly merging 
with utility systems, potentially heightening the risks of service disruption. 
Cybersecurity is an emerging area of risk for our utilities and for State Commis- 
sions as well; although it is unique in some respects, this is not the first time our 
utility systems have faced new reliability threats. Through a strong public-private 
partnership, we have overcome past risks, and it is my belief that this merging of 
information systems into the electric and other utility sectors improves their resil- 
ience, reliability and efficiency. 

National security roles and responsibilities have been subject to the purview of 
Emergency Management Agencies, State Police, and Departments of Homeland Se- 
curity. However, the lines defining and separating roles in critical infrastructure 
protection between the Federal government, State agencies, and the private sector 
owners of critical infrastructure are necessarily overlapping now. Cooperation and 
acceptance of responsibility is a must. With modern threats becoming apparent to 
us in the last several years, we understand that our traditional responsibility to en- 
sure reliable service must include the need to ensure security — both physical and 
cyber. Breaches of security, obviously, can have extremely serious reliability con- 
sequences. From my vantage point. State commissions can identify certain key areas 
of concern about cybersecurity. The first concern focuses on business process sys- 
tems — email, office computing, databases, etc. — that are not unique to utilities. In 
fact, commissions in recent years have improved their own security, along with ev- 
eryone else, as attacks on these systems become more sophisticated and we become 
more dependent on them for our operations. 
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A second vulnerability is more specific to regulated utilities: control systems. Su- 
pervisory Control and Data Acquisition (SCADA) systems have been and remain an 
inextricable part of utility operations, and have served to improve the efficiency and 
reliability of our system operations in every system throughout the country. In re- 
cent years, susceptibilities in these SCADA systems have been repeatedly high- 
lighted. 

Over the past several years. State commissions have begun to probe the cyber- 
preparedness of our utility companies in the realm of smart grid. With tens of bil- 
lions of dollars in investment on the line, commissions want to know that the invest- 
ments are not going to introduce new and unmanageable risks. In concept, the 
smart grid has the potential to provide many improvements in situational aware- 
ness, prevention, management, and restoration. In spite of introducing new weak- 
nesses, smart grid fundamentally makes the electric system more secure. Still, this 
technology brings with it new vulnerabilities and points-of-access to create inten- 
tional disruption, which should be taken extremely seriously. “Guns-gates-and- 
guards” analogs of password protection and “security through obscurity” must be 
augmented with a framework of meiximum system resilience and next-generation 
safeguards that allow the network to be impregnable, even if devices connected to 
it are compromised. 

In each of these areas, steps are being taken to manage the risk. The regulated 
companies that we oversee, through the North American Electric Reliability Cor- 
poration (NERC), are continuously in a process of developing and updating stand- 
ards for cybersecurity that we believe are a good step in the right direction for 
SCADA and business process systems. NERC, for example, has adopted a cyber-se- 
curity standard for the bulk electric system. NERC’s cybersecurity (“CIP”) standards 
are extensive and thorough. Over the past five years electric utilities across the 
country have requested significant additional staffing and dollars for CIP standard 
compliance activities in their transmission rate case filings at FERC. The CIP 
standards already in place are adequate for both physical security and cyber-secu- 
rity. However, extending the applicability of those standards to lower voltage facili- 
ties raises the question of how much more we are willing to pay for a marginal in- 
crease in cybersecurity. The issue of how much more money should be put into this 
effort when it is virtually impossible to stop some cyber attacks (e.g., hackers get- 
ting into the Pentagon’s computer system) needs to be addressed. 

Smart grid poses an additional, and particularly thorny, policy issue as well. 
Through NARUC’s collaborative with FERC on smart grid and through other activi- 
ties, State commissions have also begun to identify key areas to assure that smart 
grid investments boast the highest, most sophisticated levels of security. Recent 
Federal funding support for smart-grid investments has incentivized the deployment 
of hardware in advance of the development of standards for cybersecurity, among 
other issues. Commissions may be confronted with expenditures on cybersecurity for 
which no specific standard has yet been reached. This draws commissions into spe- 
cific areas of review in order to determine the prudence of expenditures — a review 
that would be unnecessary if the expenditure would be made in compliance with rec- 
ognized standards. 

Commissions, therefore, have had to become more expert in their understanding 
of prudent smart grid and cybersecurity investments. Because we are driven by our 
obligation to assure the reliability of service for our ratepayers, we must better un- 
derstand the prudence of the costs in ensuring reliability (including expenditures for 
cyber-security) that goes into their rates. As a result, our agency has expended sig- 
nificant time and resources to become better educated regarding cybersecurity. Over 
the past several years, as the electric industry aptitude has grown regarding 
cybersecurity, so too has that knowledge base grown across State commissions. 

In Ohio, for instance, regarding the smart grid discussion above, an extensive 
audit was conducted to assess the degree to which Duke Energy Ohio’s Smart Grid 
system complied with the NISTIR 7628 and industry best practices and identify po- 
tential areas of improvement, which was a precursor to the action items in the stip- 
ulation. An internal audit was also provided during the audit and included penetra- 
tion testing on a number of Smart Grid assets. An extension stipulation was 
reached regarding Duke’s cybersecurity plan and the implementation of that plan, 
including the role of the Commission. This effort was massive and will become a 
best practices model for other commissions and utilities in their cybersecurity anal- 
yses and efforts. 

We have been very involved in the NIST’s and now the Smart Grid Interoper- 
ability Panel’s (or SGIP’s) Cyber Security Working Group. My agency has been very 
active in pursuing cybersecurity training opportunities with Idaho National Labs, 
NIST & NIST’s ITL Computer Security Division, the SGIP, EnerNex, NERC’s Grid 
Security Conference, and others, as well as participating in the development of the 
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initial NIST-IR 7628, the most recent version being a multi-volume compendium of 
Smart Grid Cyber Security Strategy and Requirements. We have actively partici- 
pated in the National Association of Regulatory Utility Commissioners (NARUC) 
Cybersecurity Boot Camps. Additionally, our Staff participates in two different sets 
of regular, twice-monthly conference calls with our colleagues from across the coun- 
try. These calls address critical infrastructure protection issues, cybersecurity issues 
for utilities, as well as smart grid development and implementation issues. Our 
Staff participates in monthly threat briefings for both the electric sector as well as 
the oil and natural gas sector. Also, our Staff regularly participates in weekly brief- 
ings with Ohio Homeland Security. Through this partnership, our agency has a per- 
manent seat at the State of Ohio’s Strategic Analysis and information Center (or 
SAIC), just as it does in our State of Ohio Emergency Operations Center. Presently, 
the State of Ohio has developed a Statewide Cybersecurity Strategy and our Staff 
has been actively engaged in both the development as well as the on-going imple- 
mentation of that strategy. Over a year ago, my agency conducted a cybersecurity 
workshop for our utilities as well as for our State and Federal partners. Leading 
part of that workshop was a representative from the U.S. Department of Ener^’s 
Cybersecurity for Energy Delivery Systems program. Also participating was Ohio’s 
Homeland Security Advisor, as well as representatives from the cyber squads from 
both of the FBI divisions in Ohio. In addition, the two U.S. Department of Home- 
land Security (DHS) Protective Security Advisors stationed in and serving Ohio ad- 
dressed not only their physical protective security program, but also DHS’s 
cybersecurity advisor program and the related cyber resources and tools available 
from DHS for asset owners. Our efforts in strengthening the cybersecurity posture 
of Ohio’s utilities continue. 

Ohio also has one of the premier military bases in the country — Wright-Patterson 
Air Force Base. Located in the south-western portion of the state, this base employs 
a significant number of personnel and performs mission-critical work for the Depart- 
ment of Defense. My agency has worked with this base in the past, and will do so 
in the future, to ensure that it has what it needs to accomplish its objectives. 

While I am not an expert on what other States are doing with regard to 
cybersecurity, I am aware of a few examples of activity that State commissions have 
engaged in, to ensure that companies are focused on this issue. In most instances 
these activities are coordinated with other State agencies that also have a jurisdic- 
tional responsibility for safety and/or security. 

Since 2005, the Pennsylvania Public Utility Commission has required all jurisdic- 
tional utilities to have a written cyber security plan to complement their emergency 
response, business continuity and physical security protocols, each of which are test- 
ed on an ongoing basis. The Pennsylvania PUC has issued orders on cybersecurity 
in reaction to media reports of grid infiltration by international hackers. Pennsyl- 
vania also issued a secretarial letter to its utilities encouraging them to be active 
in the NIST Standards development process by reviewing and commenting on the 
NIST Framework and the Cyber Security Coordination Task Group documents and 
to participate in various related working groups. Pennsylvania has also incorporated 
cyber-security review in its management audits process. Pennsylvania performs 
management and efficiency audits at least once every five years on all electric, gas, 
and water utilities with over $10 million of plant in service. 

Another State taking action is Missouri. Missouri requires all of its utilities to 
have in place reliability plans and has queried its utilities about steps taken or 
planned regarding cybersecurity as it relates to company operations. The Missouri 
Commission required the utilities to furnish Staff with a verified statement affirm- 
ing whether the company is in compliance with NERC Order No. 706 or what reme- 
dial actions are to be taken and how long it will take the company to become compli- 
ant. The Commission also asked what other organizations, groups, industry groups 
or other organizations these companies participate with, such as local FBI or State 
agencies, regarding security issues. 

In New York, they are sharing the responsibility for critical infrastructure protec- 
tion at the Department of Public Service. Since 2003, when it was created, the New 
York State Public Service Commission Office of Utility Security has carried out a 
regular program of oversight of both physical security and cybersecurity practices 
and procedures at the regulated utility companies in the energy, telecommuni- 
cations and water sectors. Staff of this office is devoted full time to this security 
audit responsibility. Generally, that office utilizes the existing NERC CIP standards 
as benchmarks to form its own judgments about the quality of cybersecurity meas- 
ures in place at New York’s regulated utilities. Its Staff adheres to a schedule that 
calls for visiting each regulated electric utility company four times a year to audit 
compliance with some portion of the CIP standards, with the goal of measuring com- 
pliance with all of the standards at each company over the course of a year. 
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The Public Utility Commission of Texas has established a stakeholder working 
group (comprised of utilities and ERGOT Staff) designed to work on issues specific 
to cybersecurity. This effort is lead by Texas Commission Staff. The group meets 
regularly to discuss the cybersecurity assessments performed on Smart Meter 
Texas, which is the common portal that provides end-user access to energy usage 
data sourced from the AMI that was deployed by the respective utilities. Each util- 
ity is responsible for securing its own AMI and cybersecurity assessments are re- 
quired of the utilities by rulemaking once deployment of AMI and other smart grid 
technology is approved. Regulations include requirements for end-to-end assess- 
ments, performed independently and annually of the utility system. These results 
are kept confidential but shared with the Staff. 

In addition commission staff participates in the discussions at the ERGOT ISO 
Critical Infrastructure Protection Working Group (CIPWG), in which NERC CIP 
issues are discussed. While this concerns the bulk electric system, other topics re- 
lated to cybersecurity that are broached include: newly discovered vulnerabilities; 
emerging threats to critical infrastructure; cybersecurity standards development 
from outside NERC; mission assurance for the military; and any cybersecurity train- 
ing opportunities, conferences, workshops, or exercises. 

A long-standing mission of State public utility commissions is to ensure the phys- 
ical viability of tbe utility plant under their supervision. A less traditional responsi- 
bility, that of cybersecurity and information systems standards and development, is 
increasingly thrust into the mix, yet this newer responsibility clearly envelops a 
broader range of industries and specific expertise. Utility regulators recognize the 
dependence of sound cybersecurity practices and cyber reporting on sound construc- 
tion practices and utility-outage reporting, and vice versa. 

A concern that I wish to leave with you for consideration is that protocols in- 
tended to distinguish between disruptions to critical infrastructure related to cyber 
events and those related to physical events, for example, a distributed-denial-of- 
service (DDOS) attack as opposed to a fiber-optic cable failure, have not kept up 
with the fast-emerging nature of cyber threats. Such protocols are easier to craft 
than to implement. The first evidence of disruption is the disruption itself, and such 
events do not often present themselves with the root cause clearly visible. 

In the critical “golden hours” after a possible new developing threat is detected, 
or immediately following an event, it may not always be clear what is actually hap- 
pening or why. For this reason, close coordination between the utility sector and tbe 
cyber sector is essential to the response. As the State public utility commissions 
have traditionally served as the gateway to the utility sector and have their own 
independent core of expertise and relationships key to understanding, in real-time, 
events affecting that plant, close coordination among the operators of our cyber net- 
works, the Federal government, and State homeland security partners, including 
State utility commissions, is essential. Resolving cybersecurity issues will require 
significant efforts on the parts of all of us, not just one or two of us. We all are 
part of the solution. Working with the asset owners and with our Federal partners, 
the States have been successful in the past in enhancing the overall reliability of 
our nation’s electric grid. Our Federal government possesses significant assets that 
can provide States and the critical asset owners with timely and actionable threat 
information necessary to better secure these assets. We are partners in this struggle 
to maintain and enhance the reliability of our electric grid and to increase its resil- 
iency, and we must all work together to achieve our collective goal. 

Mr. Chairman and members of the Committee, this concludes my testimony. We 
at the Public Utilities Commission of Ohio take tbe issues of cybersecurity and reli- 
ability very seriously. As such, we believe a Federal-State, public-private partner- 
ship is essential to meeting these challenges over the long term. 

Thank you again for the opportunity to provide testimony here today and I would 
be happy to answer any questions that you or members of the Committee may have. 

The Chairman. Thank you. Thank you, all, very much for your 
testimony. I will start with a few questions. 

Mr. Cauley, let me ask you first. Could you describe what hap- 
pens when a vulnerability is discovered, vulnerability to a cyber at- 
tack, for example. If you issue an alert to utilities about that vul- 
nerability, is there any requirement that they follow your advice on 
that alert? 

Mr. Cauley. Thank you. We produce the report with intelligence 
information from the Government, with cleared experts. We create 
a document that we can then issue to industry, which is unclassi- 
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fied. We have 3 levels that we can issue. One is an informational 
heads-up. One is a recommendation, which we can track the results 
and performance of the recommendations. The third is an essential 
action, if we feel that it is imperative that the industry implement 
that. Then, our hoard can approve it, and it is a required action, 
and the industry is required to report back the results of that per- 
formance. 

The one area I pointed out last year in testimony was the — even 
though the industry is required to report back and they are re- 
quired to implement the action, there is not an enforcement mecha- 
nism for that. I appreciate that in the discussion of that legislation, 
there was an inclusion to deal with that gap. 

The Chairman. So, at the current time, if you issue an alert and 
you say, “Take the following action,” and the utility does not do so, 
you have no ability to enforce that? 

Mr. Cauley. The industry is required to respond by our rules 
and by rules that FERC has approved, so the — we are limited at 
this point to a civil action, but not within our current rules and our 
current framework. 

The Chairman. So, you can take them to court? 

Mr. Cauley. We could. 

The Chairman. But there is no immediate penalty or immediate 
remedy available to you. 

Aurora, I guess, is the most famous cyber vulnerability that has 
sort of gotten a lot of publicity. It was on CNN for several days 
back in 2007. You issued an advisory for that vulnerability, I be- 
lieve; is that correct? 

Mr. Cauley. That is correct. 

The Chairman. Are you able to track how many utilities still 
have not complied with the recommendations in that advisory? 

Mr. Cauley. We were able to — one of the first things I came — 
did when I came back to NARC as CEO in the beginning of 2010, 
as I recognized that the information that the industry had from 
2007 was insufficient, unclear, and, essentially, not actionable — so, 
we worked to issue another alert in 2010, which, I think, points out 
the importance of information sharing and access to information. 
So, we were able to put out a meaningful alert in 2010. We are 
tracking on a twice-yearly basis. We are tracking on the completion 
of mitigation. We have that information, and we file it with the 
Commission. It is sensitive information because of the nature of the 
vulnerability, but we do track that and file that with the Commis- 
sion. 

The Chairman. It seems to me — and you can just respond and 
tell me if I am misstating the situation. But it seems to me that 
the way the standard-setting process works, standards should be 
developed as a general framework for exercising authority to re- 
quire mandatory actions in the case of a vulnerability being discov- 
ered. In fact, the way the system is working is that you are re- 
quired to issue a new standard, with all of the accompanying delay, 
for any new threat that comes along, or if you don’t do that, then 
you are left only with the ability to make non-binding recommenda- 
tions. Now, is that a fair statement of where things stand? 

Mr. Cauley. I think, Mr. Chairman, not every risk or challenge 
or vulnerability requires a standard. We get a lot of things cor- 
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rected with information and just explaining to the industry what 
the issues are. There is a lot of problem-solving going on every day. 

Alerts give us an opportunity to deal with emerging issues or 
issues that need a timely response. Whether or not we could de- 
velop — we could develop a standard on Aurora. The difficulty with 
that is, it is more of an equipment manufacturing- type standard, 
which is more applicable to an IEEE, the Institute of Electronic 
and Electrical Engineers, and I understand that they are com- 
mitted to looking at that issue as a technical standard on equip- 
ment. 

If the Commission felt that there was a vulnerability that had 
been out there and had been out there too long, my belief is that, 
within the current section 215, the Commission could issue an 
order to the ERO to produce that standard, if it was a priority over 
other risks that we are dealing with. 

The Chairman. Senator Murkowski. 

Senator Murkowski. Thank you, Mr. Chairman. 

I am going to ask a little bit more about information sharing. It 
is something that each of you has addressed. Clearly, the NERC 
plays a role here with the Electricity Sector Information Sharing 
and Analysis Center, where you share and analyze the information. 
You have mentioned some of that. But it sounds like even from 
NERC’s point of view, you would urge Congress to do what it can 
to facilitate further information sharing. 

Mr. Snitchler, you have indicated how important it is that the 
Eederal agencies provide the actionable information, too, to help 
address or identify threats or vulnerabilities. GAO has also men- 
tioned that. 

So, let me start with you, Mr. McClelland. Does the EERC think 
that the private sector has the information that it needs today to 
take action to address the cybersecurity threats and vulnerabilities 
from the information sharing perspective; do you have in place 
what you need? 

Then, if I could ask each of you to just further address this, be- 
cause I think this really goes to the heart of what we are talking 
about here today. 

Mr. McClelland. Thank you. Senator. 

I think, in general, the security practices are well-documented. I 
think there are protocols to standards. There are alerts and 
advisories that detail specific security protocols to improve the se- 
curity posture of the utilities. 

But, specifically, no, there are circumstances where there may be 
a specific actor that has targeted a particular piece of equipment 
or an operating practice. In those cases, it is important that those 
individual entities, and the industry at large, perhaps to a lesser 
degree if they don’t have that specific equipment, is brought in, 
counseled, shown the threat, and then, any particular mitigations 
that could be applied are explained to that entity. 

Senator Murkowski. So, then, to the rest of you. How do we do 
a better job of the information sharing? 

Mr. Wilshusen. 

Mr. Wilshusen. One is to make sure that there is an appro- 
priate mechanism in which — in place to actually share information 
on a timely, actionable basis. 
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We did a review a couple of years ago at the Department of 
Homeland Security, of its lead role promoting the private-public 
partnership in securing our critical infrastructures, which include 
the electricity grid. We found that, to a large extent, the informa- 
tion that DHS provided through its alerts and threat information 
was not meeting the expectations of its private sector partners. 

In many cases, the information was not actionable, not timely. 
So, one of the means that would have to take place is to ensure 
that the information that is being provided is current, timely, and 
also anonymized. That has been one of the problems, is making 
sure that the information is sufficiently anonymous, so as not to 
identify any particular company or organization, but gets the infor- 
mation out to the individuals who actually put fingers on key- 
boards and secure the systems. 

Senator Murkowski. Mr. Cauley. 

Mr. Cauley. Senator Murkowski, I fully agree with the sugges- 
tion that the most important thing that legislation could do would 
be to foster a robust information sharing between Government and 
industry. 

Today, it is happening, but it is sort of like sipping from a lawn 
hose. We just need more. Also, the information sources are ad hoc 
across agencies, so we work out individual relationships with agen- 
cies to get information. We have a very limited access to clearances 
within the industry, particularly on the top secret side. The value 
of that is, only industry experts can really, fully understand the 
impacts. Often, our limited folks that we have that do have clear- 
ances are explaining back to the intelligence folks what might be 
the impacts for a particular threat. So, I think getting more clear- 
ances, having a more unified system for sharing of information 
would be very beneficial. 

Senator Murkowski. Mr. Snitchler. 

Mr. Snitchler. Senator, what we hear from the utilities that we 
regulate is, often, that there is — they perceive a one-way informa- 
tion street, and they provide information and don’t feel that they 
are getting a reasonable amount of information in return. By that, 
as already mentioned by other panelists, some of the specific data 
that could be helpful to them. 

There is also, I think, often times, the fear of disclosure will re- 
sult in practices that maybe impact one utility, as opposed to all 
of them equally. So, there is a reluctance, perhaps, to share granu- 
lar detail that might be helpful. 

Again, the anonymized information that was previously ref- 
erenced, I think, would be helpful for that, because then it would 
ensure that we could have better disclosure of information in both 
directions. 

The critical component that we hear from utilities, without ex- 
ception, is the need for security and that information not to find 
its way out into the public realm because of the potential implica- 
tions, both to them and to the utility system. 

Senator Murkowski. Thank you. Thank you, Mr. Chairman. 

The Chairman. Senator Wyden. 

Senator Wyden. Thank you, Mr. Chairman. Mr. Chairman, 
thank you for holding this hearing. I think it is extremely timely, 
in light of the leader’s desire to bring cyber legislation to the floor. 
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I want to review with the 4 of you, essentially, where things are, 
on a couple of key questions. 

Now, as Chairman Bingaman noted, there are already rules in 
place that include cyher threats to the electric grid, and that, of 
course, was launched years ago. Now, this exercise seems to have 
produced another division in what I call the “growing cyher indus- 
trial complex.” For years now, the Federal Energy Regulatory Com- 
mission and the North American Electric Reliability Corporation, 
private companies, and lots of lawyers have shuffled paper back 
and forth, grants have been dispensed by the Department of En- 
ergy, and this has produced a product that has left few satisfied. 

So, let me start with you, Mr. McClelland, in terms of some of 
the concerns that would be helpful to have addressed this morning. 
Do you believe that because the standards don’t require a physical 
separation, between the energy company networks that run the 
business operations and the critical infrastructure — the substations 
and the transmission — that despite all of this paper shuffling, this 
shortcoming is still a significant factor in making the electric grid 
vulnerable to attack? 

Mr. McClelland. I will answer that and then maybe add a little 
to it, is that one of the CIP standards, CIP 5, requires an Elec- 
tronic Security Perimeter around a critical cyber asset. Only crit- 
ical cyber assets, which are self-designated by the entity that is 
captured by the standard, are covered by the standards themselves. 
So, if an entity decides it has critical cyber assets, then it des- 
ignates an Electronic Security Perimeter around those assets. If 
the business systems are connected to the critical cyber asset, via 
the SCADA systems, or whatever the control systems are, then 
those business systems, theoretically, fall within that Electronic Se- 
curity Perimeter. 

So, if they are interconnected, if they work together, if they can’t 
be separated, the assumption I would have is that they would be 
within — they would both be included within that ESP and phys- 
ically protected. 

Senator Wyden. But the bottom line is, the networks don’t have 
to be separate, is that correct? 

Mr. McClelland. That is correct. 

Senator Wyden. OK. The second question I would like to ask of 
you is, that, for purposes of the legislation that is being considered 
for the floor of the Senate here before August, some companies are 
asking, that for purposes of this bill, they should be legally pro- 
tected — legally protected through indemnification provisions when 
they report vulnerabilities in any cyber network. 

Now, it is my understanding that, with respect to the 2005 law, 
there is no such legal protection; is that correct? If so, is the ab- 
sence of that kind of legal protection or indemnification processes — 
has that caused any problem in your view? 

Mr. McClelland. Under the cyber standards or any of the reli- 
ability standards, one of the considerations under the violation se- 
verity level is whether or not an entity self-reports its problem. 
That is taking into consideration, as far as the enforcement provi- 
sion, the penalties, how willing they are to admit that they have 
a problem, what the mitigation plan looks like, how timely they 
could be. So, self-reporting is an important aspect, as far as mitiga- 
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tion of the enforcement aspects, even under the existing network 
or the framework. 

Senator Wyden. But the question is, Are there indemnification 
procedures now? My understanding is there are not. 

Mr. McClelland. Right. 

Senator Wyden. Is the absence of these provisions causing any 
problem? The reason I am asking is because this is going to be a 
big issue in the discussion, is whether or not there ought to be 
these indemnification processes when companies come forward and 
report problems. What I would like to know is, if there are any 
problems today, as a result of the lack of reporting requirements. 
Could you answer that? 

Mr. McClelland. I guess I would answer it by saying that, the 
self-reporting requirements — you know, the enforcement provisions 
under the existing standards are important, and if it is not a stand- 
ard that compels action, then it is not something that you can as- 
sure happens. 

You know, information exchange, alerts, advisories, essential ac- 
tions can be helpful. But, at the end of the day, if there is no en- 
forcement provision, it — there is no teeth behind these issues. 

Senator Wyden. I will try one more time. Do you think 

[Laughter.] 

Senator Wyden. Do you think indemnification procedures are 
needed for purposes of this bill that is going to be considered for 
the floor before August, yes or no? 

Mr. McClelland. I am just not prepared to comment on that. 
I’m sorry. 

Senator Wyden. OK. Thank you, Mr. Chairman. 

The Chairman. Senator Franken. 

Senator Franken. Yes, Mr. McClelland, do you think — no. I’m 
not good at that 

[Laughter.] 

Senator Franken. But this question is for you, and for anyone 
who wants to pick up on it. Deploying a smart grid is crucial for 
integrating distributed and renewable energy resources, but a 2011 
GAO report noted that, while FERC has authority to adopt smart 
grid standards, it does not have any specific enforcement authority 
to implement these. 

What are your recommendations for ensuring that standards are 
properly developed and enforced? Is this issue adequately ad- 
dressed in any of the cyber security bills before the Senate? 

Mr. McClelland. The GAO did find — they did echo FERC’s find- 
ing from its policy statement on smart grid, that it lacked enforce- 
ment authority under the EISA that was passed by Congress. So, 
we do not have enforcement authority, even if we find that 
cybersecurity standards, as recommended by NIST, achieve suffi- 
cient consensus. 

The Commission’s authority, however, does lie under 215. So, 
pursuant to that authority, the Commission has been an active par- 
ticipant in NIST’s SGIP and Cybersecurity Working Group. Our 
staff attends those meetings. They are regular participants. They 
bring that information then back to the NERC 215 process when 
they actively engage in the standards development teams under 
the cybsersecurity standards. In fact, the Commission most re- 
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cently, in approving version 4, even reminded NERC that it needs 
to consider those NIST provisions and incorporate those NIST pro- 
visions, as appropriate, in version 5 of the standards. 

So, I can’t speak to the pending legislation. I’m sorry. Senator. 
I’m just not current with it. But I can say that the Commission is 
actively engaged in the NIST process, is actively working to incor- 
porate the relevant aspects of that NIST process into the NERC 
standards. 

Senator Wyden. Mr. Wilshusen 

Mr. Wilshusen. Yes 

Senator Wyden. You helped prepare this report, so do you have 
any comment? 

Mr. Wilshusen. Right. I would just add that what Mr. 
McClelland is referring to with section 215 is their ability to en- 
force mandatory standards established by NERC over the bulk 
power system. But under the Energy Independence and Security 
Act, which deals primarily with the implementation of smart grid 
technologies, much of those technologies are implemented and de- 
ployed at the distribution level, which is more under the purview 
of the State regulatory commissions and others. 

I believe EERC does not have the enforcement capability at that 
level, under EISA or 

Senator Wyden. Mr. Snitchler, that is fine with you? 

Mr. Snitchler. Senator, we 

Senator Wyden. Erom what I am hearing? 

Mr. Snitchler. Correct. We think we have got an adequate han- 
dle. Ohio has approached the smart grid deployment than other 
States — each of us has approached it in a different fashion — where 
we have rolled it out in a series of pilot projects with one utility 
that is now moving toward full deployment, others who are further 
behind the curve, but are moving forward. We have been able to 
work closely with those utilities to make sure that they are oper- 
ating in a way that gives us a level of comfort, that they have a 
sufficient amount of security going forward. 

We actually have had a couple of open dockets at the Commis- 
sion, in an effort to determine where companies are at, what steps 
are being taken. But, like other State commissions, it is sometimes 
a challenge to have our utilities come in and disclose the weak- 
nesses in their system. So, the issue of confidentiality, again, rears 
its head, even at the State level, as we try to protect that informa- 
tion and prevent it from becoming part of the public domain. 

Senator Wyden. Taiwan, Singapore, China, South Korea are 
among the largest manufacturers of semi-conductors and micro- 
processors for these smart devices. 

There are concerns that if a cyber criminal gained access to such 
devices, especially during a manufacturing process, they could cov- 
ertly insert code in the devices to impair its function. 

Eor any of you, are we testing these purchased devices to miti- 
gate potential vulnerabilities? 

Mr. Wilshusen. I guess I will take that question first. IT supply 
chain has been a key vulnerability into systems and the critical in- 
frastructures of this Nation. We issued a report earlier this year 
that dealt with IT supply chain and dealt specifically with some of 
the microprocessing chips. 
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We looked at several agencies, including DHS, Energy, Depart- 
ment of Defense. To a large extent, we found that the procedures 
for reviewing the vulnerabilities on IT supply chains and the types 
of equipment that are being acquired, agencies really have not es- 
tablished effective mechanisms to adequately address that vulner- 
ability. 

To some extent, it needs to be done at the national level, because 
the risks are more national in scope. The administration has re- 
cently developed an IT supply chain strategy. We are in the process 
of looking at that strate^ as part of our ongoing work. 

Senator Wyden. My time is up. Does anyone have another com- 
ment? I saw Mr. McClelland be nodding. 

Mr. McClelland. I would only add that, you know, hardware is 
one component. Any time there is two-way electronic communica- 
tion, there is a chance for compromise, and there are some very so- 
phisticated entities out there that employ various mechanisms, in- 
cluding hardware compromise, to accomplish that task. So, it is a 
critical aspect of network security. 

Senator Wyden. OK. Thank you, gentlemen. 

Mr. Chairman, thank you. 

The Chairman. Mr. McClelland, you mentioned this problem of 
electromagnetic pulse events. I gather our former Congressman 
and Speaker, Newt Gingrich, had a op-ed in the “Washington Post” 
this last week, where he argued that we need to pass legislation 
to protect against electromagnetic pulse events, and you seem to 
say the same thing in your testimony as I read it. 

Is there anything being done, just at the current time, to deal 
with this problem? 

Mr. McClelland. The Commission recently held a technical con- 
ference on this very subject. It invited NERC and industry experts, 
and it compared the Commission’s report through the Oak Ridge 
National Laboratory, to the NERC report. It asked for comments 
and sought consensus. 

So, the Commission does have the industry’s comments. We are 
reviewing what can be done, where there is areas of agreement and 
disagreement. But one thing that was encouraging from the con- 
ference is that we thought we heard, regardless of the scale of de- 
struction or damage to the equipment itself, there would be a wide- 
spread grid collapse, and everyone agrees that that must be pre- 
vented. 

So, coordinated studies need to be done among the entities. 
There are, likely, standards that need to be passed, not necessarily 
NERC standards, but industry standards, to prevent, you know, 
damage to vulnerable equipment. There is a subset of critical and 
vulnerable equipment that should be protected — no regrets actions 
that should be pursued to protect the public against this issue. 

The Chairman. I guess one obvious question is. What kind of 
timeframe are we talking about here? I have the distinct impres- 
sion we may be studying this issue while the electric grid collapses. 
What is your understanding of the timeframe to get something 
done? 

Mr. McClelland. The Commission is moving through comple- 
tion of reviewing those comments, and under existing authority, it 
can address the geomagnetic disturbance issue through reliability 
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standards. So, the Commission is now informing itself from the 
NERC study, from the Oak Ridge study, and from the public com- 
ments, and it is moving to review its options under its existing au- 
thority to address the issue. 

The Chairman. So, does that mean this year something is going 
to be done? 

Mr. McClelland. I’m sorry, I just can’t speak to the timing of 
Commission action. 

The Chairman. Whenever people talk about, “We’re moving to 
review our options,” that doesn’t sound like anything imminent to 
me. 

Mr. Cauley, did you have a point of view on this issue? What is 
NERC doing to solve this problem of the threat from electro- 
magnetic pulse attacks? 

Mr. Cauley. Thank you, Mr. Chairman. 

We issued a report in February, which put the engineering and 
science behind the characteristics of what kind of failures and 
things we might see, and we have initiated a number of actions. 
We issued an alert to industry. We have been working with NASA 
and NOAA in terms of enhancing the alert system, so we can let 
industry know if there is an issue impact coming, and that we can 
put the system in a more conservative position to withstand an 
event. 

We are also working with EPRI, Electric Power Research Insti- 
tute, in terms of locating monitors on — Earth current monitors, as 
well as equipment monitors, so we can understand and see the be- 
havior of the impacts and know what we need to do to address 
that. 

This is a long-term effort. I realize that we could have impacts 
near-term, but really there is a lot to learn and develop. We are 
also looking at doing testing on transformers, in terms of inducing 
Earth-type simulated currents in them and seeing how they behave 
and how they react. 

So, there is a lot of working on them on multiple fronts. We are 
not waiting for standards. We are actually moving on the engineer- 
ing and the modeling and the operational 

The Chairman. When you say you issued an advisory — or an 
alert, I guess — what did you refer to it as, an advisory or an alert? 

Mr. Cauley. It was a NERC alert, yes. 

The Chairman. An alert. Was that a set of directions to utilities 
to take particular action, or was this just basically saying, “Here’s 
a problem”? 

Mr. Cauley. This one was informative, sir, so it gave actions 
that could be taken if there was a impact full storm that was going 
to come toward the Earth, actions that would be recommended to 
be taken. But it was not issued as a required set of actions. 

The Chairman. So, no required actions have been 

Mr. Cauley. Not in this particular 

The Chairman. Recommended 

Mr. Cauley. That is correct. 

The Chairman. At this or put forward? 

Senator Murkowski, did you have other questions? 

Senator Murkowski. This is more of a general question to all of 
you. I think Mr. Wilshusen, you mentioned that, perhaps, stand- 
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ards should not be spelled out too specifically or utilities kind of 
get in this compliance mode of trying to meet the standards, in- 
stead of safeguarding the systems. 

We want to push everybody to be one step ahead of the guys that 
are trying to disassemble things, and so, we don’t want to get them 
focused on just checking the boxes off; we need them to be thinking 
ahead every single day. This whole issue of flexibility within a sys- 
tem, as opposed to a prescriptive set of standards concerns me. My 
concern is that the legislation that is being considered right now, 
not the secure IT, but what is coming out of Homeland, is a more 
prescriptive approach. 

Can I ask each of you to speak just to that issue, as to the need 
for flexibility in this area that allows us to be a little more nimble, 
rather than just complying with a set of standards? 

We’ll just go from you, Mr. McClelland, on down. 

Mr. McClelland. Thank you. Senator. 

I agree. I think all of the panelists would, too, that the individual 
entities have to have the latitude to have the directive, but not be 
so prescriptive as to tie them into any singular response. 

On the other hand, though, someone needs to make certain that 
the Mitigation Act is effective. Back to that question about Aurora, 
you know, it’s not enough just to collect survey data; it is important 
to verify the mitigation. So, I agree; I think the standard needs to 
compel action, but provide the latitude that the individual entities 
might need to address the issue on their systems. 

Mr. WiLSHUSEN. Yes, definitely, I think standards need to be 
flexible. They should not be overly prescriptive, because you want 
them to stand the test of time. You don’t want to necessarily 
change your standard every time there is a new threat or a new 
technology that emerges that presents additional vulnerabilities. 

As a parallel, in the Federal Government, NIST issues Federal 
information processing standards, which are mandatory require- 
ments. In addition, though, it has issued lower levels of guidance, 
usually through special publications and guidelines that provide in- 
creasingly more detailed actions that can be taken to secure sys- 
tems in cyber security. But they are more prescriptive, and they are 
at a greater level of detail than the actual Government-wide stand- 
ards. This greater level of detail is needed to effectively secure sys- 
tems. 

So, it is good NIST had that flexibility and multiple layers of 
guidance — standards, guidelines, and instructions, if you will, to 
provide to organizations to secure their systems. 

Senator Murkowski. Mr. Cauley. 

Mr. Cauley. Senator Murkowski, I agree, as well. The most ef- 
fective standards will be based on risk controls, setting up systems 
to catch issues that need to be identified, not on a prescriptive, 
line-by-line, rule-based-type standards. We are adopting those risk 
controls in the version 5 standards. We are looking at the NIST 
model. We have extracted from their set of standards, the ones that 
we think would work in the power system, and we are flushing 
those out within those standards. 

There is an added factor within — in the security arena, is that 
you really want to incent people to report issues. Because part of 
the intelligence is finding out what are the bad guys doing and 
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what information are we finding, and lots of little pieces mean 
something when you roll it all up together. 

So, if we are going in with a checklist style of compliance, it is 
not going to he helpful that. We want people reporting information, 
actively. I think we are on the right track for that. 

Senator Murkowski. Mr. Snitchler. 

Mr. Snitchler. Senator, at the risk of saying, me, too, I would 
agree with the comments made by the prior panelists. I think the 
flexibility that you have suggested, necessarily, moves into that re- 
siliency that can be developed by the multiple utilities that we reg- 
ulate, taking a different approach to achieve to same objective. 
That diversity of approach to solving a problem also potentially has 
the ability to keep an entire system from being knocked down, be- 
cause, instead of targeting one set of security concerns, you are 
looking at more than one set and ways that that problem may have 
been solved, and has the ability to require far more effort on the 
part of those that will do ill-will to the electric grid or to those who 
may be seeking to try and damage the country. 

I think, also, by moving away from a prescriptive, check-the-box, 
as you describe it, list is helpful, and that we are then charging the 
utilities that we regulate with being as far as they can, one step 
ahead of, in evaluating all the threats, whatever they may be. 

I know that I have been to at least one utility in Ohio’s command 
center where they are doing just that and have retained security 
folks to deal with those issues, in an effort to ensure that they are 
viewing all the potential sources of entry and all the potential man- 
ners in which they can respond and block those out, at various lev- 
els within their system. 

Senator Murkowski. Thank you, Mr. Chairman. 

The Chairman. Senator Udall. 

Senator Udall. Thank you, Mr. Chairman. 

Good morning to all of you. Thanks for joining us on this impor- 
tant topic. 

Mr. McClelland, if I could, I will start with you. This may be a 
tangent — a slight tangent, more accurately. I don’t know if any of 
the witnesses have addressed work force issues in their written tes- 
timonies, but I realize one of NERC’s standards refers to personnel 
training requirements. 

I am curious whether you believe we have the right people with 
the right training in place at FERC, at NERC, at the utilities, or 
elsewhere, to develop and implement the standards to keep the 
grid secure and respond to threats and vulnerabilities. 

Do you think we would be more secure with additional and better 
training to cyber warriors? 

Mr. McClelland. I would say, yes. We do have — the Commis- 
sion is fortunate to have — it is a small staff, but it is a very tal- 
ented staff that we have mostly drawn from other agencies, and 
they have spent their entire careers in cybsersecurity. I think 
NERC is also gifted with some of the employees that they have in 
place. But these folks are as scarce as hen’s teeth, and it is difficult 
to find them. In many cases, we steal them from each other. 

That said, we have been able to — and I know NERC has also 
taken advantage of this. We have leveraged the Intel agencies with 
some of the best, probably — well, undoubtedly, the best skill sets 
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in the world. So, we leverage those intel agencies to help us under- 
stand what the issues are and to address the threats. But, cer- 
tainly, more and well-trained cybersecurity people are something 
that we all need. 

Senator Udall. Others on the panel, care to comment? 

Mr. Cauley. 

Mr. Cauley. Gerry Cauley, NERC. I believe that is an oppor- 
tunity for us, and I think we do need to expand and grow our work 
force in terms of capabilities. It is another example of an oppor- 
tunity to partner between Government and industry. There is a 
training program at the Pacific Northwest Lab, and we have been 
running as many industry folks as we can through that. It is a very 
good, week-long program. It is very intense. But, we need more of 
that. 

Mr. WiLSHUSEN. I would 

Senator Udall. Mr. Wilshusen. 

Mr. Wilshusen. Yes, thank you. I would just add that, not only 
just within NERC and FERC, but throug:hout the Federal Govern- 
ment. We have issued a report earlier this year, too, about human 
capital challenges within the Federal Government, securing Fed- 
eral systems. Indeed, that is an area that is a prime consideration 
and concern. 

Mr. Snitchler. Good morning. Senator. 

Senator Udall. Mr. Snitchler. 

Mr. Snitchler. One of the issues that we have found, 
anecdotally, in talking with our utilities in Ohio, is that they have 
actively recruited from within the military, and have had good suc- 
cess with folks who are used to dealing with top secret clearance 
and higher on issues that involve issues of this nature at the util- 
ity. They have found that to be helpful. 

That being said, they are also at a premium, and it is very dif- 
ficult to find sufficient staff. I would agree with the prior comments 
about this being an opportunity for specific work force development 
that has long-term implications for the country. 

Senator Udall. Mr. Wilshusen, let me turn to you for the next 
question. 

You talk about the difficulties in the industry of sharing informa- 
tion on cybersecurity. Could you describe some ways that you think 
the electricity industry could improve in this area? 

Mr. Wilshusen. Yes, I think there are a couple of areas. One 
would be to have a mechanism in place in which the industry can 
collect actionable intelligence — or information about security inci- 
dents and vulnerabilities that may be present within the industry 
and then being able to share it with other members, but after it 
is been anonymized. 

Before you came, we talked about the need to anonymize certain 
threat information, alert information, so as not to put other compa- 
nies in peril. Then, those companies may be more willing to share 
information that they may have of any incidents occurring at their 
organizations. So, that will be one key area. 

Another is, to receive information from Federal sources and 
through NERC and FERC; particularly, getting additional informa- 
tion through the intelligence community, through Department of 
Homeland Security, on threats that are occurring and 
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vulnerabilities that are happening within those particular indus- 
tries. 

Senator Udall. Let me follow that up. In Colorado, we have the 
Western Cyber Exchange, which is a public-private partnership, 
and it works on a regional geographic basis, both on improving 
cybersecurity, and then on incident response. 

Do you think regional cross-sector models like this are something 
we could encourage and should encourage? 

Mr. WiLSHUSEN. I think they serve their place. You know, re- 
gional would help. But many of the threats are international in 
scope and come from other sources from which regional utilities — 
or groups may not have that information. That is why it is impor- 
tant at the Federal level, at least, threat information, alert infor- 
mation from the intelligence community, through DHS, be shared 
with those particular groups. 

Senator IJdall. Mr. Cauley or Mr. Snitchler, would you care to 
comment on that question, as well? 

Mr. Cauley. Yes, sir. We have the Information Sharing Analysis 
Center, and what I think we are trying to create is hubs of infor- 
mation connected to other hubs. So, ours is focused on the power 
system in North America, but we are connected to intelligence 
agencies, U.S.-served and other — the NCICs, who are plugged into 
these other sources, and we share information with our members 
in North America. 

I think the one other thing that we could do better is to have 
more access to clearances, and to create what I would call “fusion 
centers,” perhaps in cooperation with the FBI local offices, regional 
offices, where we can quickly get very detailed information at the 
classified level to people in industry who can understand, at a very 
granular level, what is the threat, and what actions should I take. 
That is an opportunity for us to think about. 

Mr. Snitchler. Senator, I think I would echo the comments from 
the GAO, where actionable information that has been sufficiently 
anonymized would be helpful, because the issue that we often hear 
is the question of. If I provide information, will this later be used 
against me? If it is, obviously, they are reluctant to share that in- 
formation. 

Frankly, if we get into a situation where we have a better way 
to exchange information, we can be implementing best practices 
and avoiding each individual company’s having to uncover and dis- 
cover the same problem and work their own solution, but would 
then have, in effect, a clearinghouse of known issues. Then, they 
could work to solve that with the flexibility within the standard 
that may be required. 

Senator Udall. Thank you all, again, for appearing and dis- 
cussing this very important topic. 

Thank you, Mr. Chairman. 

The Chairman. Senator Coons. 

Senator Coons. Thank you. Chairman Bingaman. 

Senator Bingaman, you have been beating the drum on this issue 
for some time now, and I was happy to join you last year in sup- 
porting the Grid Cyber Security Act. 

I am grateful to you and to Senator Murkowski for convening 
this panel into taking another look at where we stand and what 
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we and Congress have to do in order to raise the baseline for cyber 
defense in this most important sector for the American economy 
and the American people. 

Since we met on this topic a year ago, cybersecurity has become 
one of the most talked about challenges facing our Nation. Every- 
one, from the Secretary of Defense, who has said the next Pearl 
Harbor will be in cyberspace and is coming, to individual business 
leaders, have warned that the Nation as a whole faces a real 
threat, which Members of Congress need to work together to ad- 
dress. 

There is very few issues I lose more sleep about than our cyber 
vulnerabilities, and when I speak to experts, they simply cause me 
to lose even more sleep. So, I appreciate the opportunity to reduce 
my sleep opportunities further today. 

To Mr. Wilshusen of GAO; forgive me. Your written testimony 
said that when the GAO looked at the security of utilities, you con- 
cluded that, overall, they were focusing on regulatory compliance, 
more than a comprehensive security. I think that’s a quote. 

Can you elaborate about more — more on what about the existing 
approach, in fact, leads to standards becoming a ceiling, instead of 
a floor, for the level of cybersecurity, and what we could do in 
terms of standard-setting and internal partnerships that would 
strengthen an approach to comprehensive security, rather than 
mere compliance? 

Mr. Wilshusen. I think that one of the dangers when organiza- 
tions just focus on mere compliance is that they don’t take an over- 
arching view and develop a comprehensive program for assessing 
the risks and taking the appropriate steps to assure that they cost- 
effectively address those risks and mitigate them to an acceptable 
level. 

I think it is still important, though, that you do have standards 
or minimum baselines of security controls that can be consistent 
across a wide group of similar organizations, perhaps, an industry, 
taking into account that each entity may have separate risks and 
controls in place to help mitigate those risks. 

So, it is going to be important that each agency have an effective 
program for assessing the risk and then taking the appropriate 
steps to implement the appropriate controls to mitigate that. That 
would include, not only just assuring compliance with standards, 
but also taking other actions as determined necessary in the facts 
and circumstances. 

Senator Coons. If there were to be standards that were nego- 
tiated — that were agreed to between industry and regulatory agen- 
cies, for an area like cyber, where the threat seems to be rapidly 
evolving, how would you update, routinely, those standards in a 
way that contributed to actual comprehensive security; how would 
you do that in a way that balances the economic impact, the cost, 
with promoting and achieving actual security? 

Mr. Wilshusen. I think one way is, first off, with the standards. 
They need to be at a sufficiently high level to where they are flexi- 
ble enough to allow for movement in the implementation of controls 
to address emerging threats and vulnerabilities that occur. 

So, it really gets back to each agency or organization being able 
to determine what its risks are, and then take the appropriate con- 
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trols to mitigate them. At the same time, there needs to he a level 
of standards, such as the CIP standards, and prohahly have those 
evolve as going through the current process, to address new tech- 
nologies and vulnerabilities that occur. 

Senator Coons. Mr. Cauley, at NERC, you discussed that your 
biggest concern is a coordinated, actual physical and cyber attack, 
and that, perhaps, the combination of a terrorist attack in the 
physical world, followed by an attack that then takes down some 
critical infrastructure, such as the electric grid. I happen to agree 
that a cyber attack of this kind would be particularly dangerous. 
I would be interested in what sorts of public-private partnerships 
NERC is engaging in to prepare with or promote relationships with 
local and State responders to help mitigate those threats, and I 
would interested in where you hope to expand on those partner- 
ships in the future. 

Mr. Cauley. Thank you. Senator. 

We do work closely with State and local agencies, in terms of in- 
forming them what we are doing on the system and vulnerabilities. 
One of the most concerns that we have is any challenge that would 
do any permanent damage to equipment, so we work closely with 
law enforcement, FBI, in terms of securing the physical assets and 
investigating issues that come up with breaches and entry into 
substations and equipment, things like that. 

So, I think there is an opportunity to continue working on that 
and expand that, in terms of types of scenarios — of attack scenarios 
we might see and run through drills and sort of understand our 
communications: who has responsibilities; how do we need to move 
personnel from point A to point B and move equipment; and those 
kinds of things. So, it’s still an opportunity for us to continue work- 
ing and developing. 

Senator Coons. Broadly, how would you appraise the capabilities 
and the preparedness of State and local first responders, law en- 
forcement, emergency management agencies, to deal with this sort 
of a combined attack or the emerging threats of cyber? 

Mr. Cauley. I think we certainly see a lot of experience and 
practice there that gives us some confidence — when we have major 
storms come through, trees are down, and roads are blocked. A lot 
of the capabilities that come into play during an attack on the grid 
would be similar to those kinds of things. So, in terms of securing 
people, moving people, securing supplies, those kinds of things, I 
am confident in the capability of the local and regional law enforce- 
ment and first responders. 

Senator Coons. Thank you. 

Mr. Snitchler, at the utility, the PUCO that you are now a chair 
of, I was heartened in your prepared testimony to hear that you ad- 
dressed the importance, not only of public-private partnerships, but 
also Federal-State. I agree, since, in any of the scenarios we have 
been discussing, it is likely to be State and local responders who 
bear a lot of the responsibility, are likely to be first on scene, or 
likely to be leading the recovery effort. 

Now, but on an issue like cyber that doesn’t respect traditional, 
internal political boundaries or planning processes, how do you 
avoid wildly different standards that lead to uncertain and unreli- 
able security situations or potentially to overinvestment in security 
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that puts too much of a burden, in terms of the operating costs of 
utilities? 

Mr. Snitchler. Senator, I think you have hit on the — one of the 
primary issues that we often face at the Commission, which is. 
What is the appropriate cost and what can consumers and busi- 
nesses afford to pay, in order to have the safe, reliable system that 
they have come to expect? Certainly, we try to approach that, being 
mindful — as I put in my written testimony — about protecting those 
critical assets, determining what those are, those are your dia- 
monds, and giving them the appropriate level of protection, and 
then, having your — I hate to use the term “less valuable”, but those 
that perhaps are, for example, a transformer on a street as opposed 
to a substation that is going to power several city blocks. You 
would treat those two differently. As a result, you would make your 
investments in how you would want those to be treated differently. 

To move back to your first question, to address how do you — I 
think what you are asking is how do you not end up with a litany 
of ways for States to address these issues, when you have one issue 
that may be a national security issue or an attack on the country. 
I think you have to look at threats versus vulnerabilities. I think 
where you have a threat that has the ability to impact the entire 
country or a substantial region, then, certainly, there is a definite 
need for Federal involvement to be able to address those types of 
concerns. 

Where you have got a more localized issue or a vulnerability that 
could be exploited, then, certainly, there is a role for State commis- 
sions — the utilities and the State government, in general — to deal 
with those concerns. I think it is a little bit fact-specific, depending 
on exactly what the scenario you are describing is; but, certainly, 
it is not a good idea to have 51 different ways for us to evaluate 
a problem. But, I think if you break that problem down into a 
threat versus vulnerability, and then categorize or prioritize, you 
can arrive at a more comprehensive way of evaluating those issues. 

Senator Coons. Mr. Snitch, excuse me, Mr. McClelland, if I 
might, for a last question. 

I just would be interested in your level of confidence that we 
have got the information sharing and the collaboration in place to 
allow State and local operators to distinguish between an unex- 
pected outage, a rolling brownout, an equipment malfunction, and 
something that, in fact, has originated as a attack on the Nation, 
and then, to share relevant information in real time. 

Mr. McClelland. Thank you. Senator. 

There is certainly room for improvement. I think the important 
aspect is that the interconnections are very large; there are mul- 
tiple States within the interconnections. Because it is a network, 
and a tightly integrated network, the actions or inaction of any 
particular player can have a substantial impact on the rest of the 
interconnection. 

So, going back to your prior question, I think it is important that 
the entities communicate, that minimum standards be put into 
place. A minimum in security is a tricky business. 

Now, you mentioned before about, you know, sort of, what are 
the costs economically to put the standards in place or to put these 
protocols in place. But the world moves on, and it is a very small 
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place. What we are seeing is, you know, folks from around the 
world having access — or potential access to SCADA systems. You 
can no longer live in isolation. 

So, the question would he. What are the adequate security provi- 
sions that an entity must have to protect its business, and then, 
how do those practices compare with other practices? Are we shar- 
ing lessons learned? Are we sharing relevant intelligence? Is it ac- 
tionable intelligence, so that folks can see what is happening, they 
can learn from their neighbor, and they can put the security in 
place, because the threats are moving at lightning speed? 

So, as with you, it does keep us up at night. It is probably the 
most significant thing that we deal with. It actually has a potential 
to become much worse, because, as we add equipment that was 
previously dumb equipment and make it smart equipment, and 
give it two-way communication, and then give it the ability to 
speak with the largest generators on the system or to have a nexus 
to the largest generators on the equipment, then we have intro- 
duced a vulnerability. It would be like on-line banking, without 
cybersecurity. You really don’t want to go there. 

So, I think we are at a point now with the grid and the changing 
grid and the cyber connectivity, where no one can live in isolation. 
If there is connectivity, there is two-way communication; there has 
to be some sort of minimum protocols and there needs to be suffi- 
cient information sharing so that everyone is able to move ahead 
with a threat. 

Senator Coons. Thank you. 

Thank you, Mr. Chairman. Thank you, to the panel. 

The Chairman. Senator Murkowski, do you have additional ques- 
tions? 

Senator Murkowski. I am done, Mr. Chairman. Thank you, 
though. 

The Chairman. Senator Udall, did you have additional ques- 
tions? 

Senator Udall. Mr. Chairman, thank you for asking. If I might. 
I think much of this could be done for the record, but I wanted to 
ask Mr. Cauley what more can we at the Federal level do to re- 
cruit, train, and motivate young people to operate and defend our 
critical infrastructure, like the electric grid? 

Mr. Cauley. Senator, you know, I think by its — by the very at- 
tention and focus that we are putting on this, I think we are cre- 
ating sort of an attractive arena to go into, and I think, you know, 
we are seeing that in some of the schools, as well. 

But I think, ultimately, one of the other panelists mentioned re- 
cruiting military and people from Government. I think we have to 
recognize that the — sort of, the center of universe intelligence and 
security state-of-the-art is in the Government and in the military, 
and to the extent that it is not just the hiring of the people, but 
to do training and development programs and cooperative pro- 
grams. 

You know, I think information sharing and partnering between 
Government and industry are the two most important things we 
can do, and this is one area where we could do a lot more, in terms 
of Government sharing practices, the art and skill of security man- 
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agement. I think those kinds of things would be very useful for in- 
dustry. 

Senator Udall. Mr. Snitchler, would you care to comment? 

Mr. Snitchler. I would echo the comments from the other panel- 
ists. 

Ohio is blessed to have the Wright-Patterson Air Force Base near 
Dayton, where we have a substantial military presence, of course. 
As a result, we have a large number of military folks who may be 
being discharged from the Service and who are able to move into 
those positions. But, as I previously noted, even with that, we still 
find that there is a shortage. These skilled professionals, and they 
are exactly that, are in short supply and in high demand, and com- 
panies are working very hard to try and find them. 

I think one of the other panelists said, we typically end up raid- 
ing somebody else’s cupboard to find someone to be able to fit that 
need. That has been my experience in talking with the utilities 
that we regulate is, that is often times where they find them. I 
think a more concerted effort to demonstrate that when you have 
completed your time of Service, if you want to move into the pri- 
vate sector, these are some of the avenues that you can pursue to 
have a long-term viable career, because these issues are not going 
to go away. The skills that they bring to the table make them im- 
mediately valuable to an organization, and I think that has tre- 
mendous value. 

Senator Udall. I would note, as I conclude, that I sit on the 
Armed Services Committee. We are having some of these same dis- 
cussions with the Department of Defense, and they are also con- 
cerned about recruiting young cyber warriors, if you will. So, I 
think we have got to really focus on growing the pie, growing the 
sense that this is an important career path and work together, not 
only with the private sector and the public civilian sector, but also 
the Department of Defense. 

I look forward to working with all of you in that regard. 

Thanks, again, for your testimony. It is very helpful. Thanks. 

The Chairman. Yes, thank you very much. I think it has been 
a useful hearing. 

We will conclude the hearing with that. Thank you. 

[Whereupon, at 11:30 a.m. the hearing was adjourned.] 




APPENDIX 

Responses to Additional Questions 


Response of Gerry Cauley to Question From Senator Bingaman 

NERC registered entities are required under the currently effective NERC Critical 
Infrastructure Protection Standards (specifically Standard No. CIP-007-3, Require- 
ment 4) to have a malicious software prevention program to protect critical assets 
supporting the electric grid. The standard specifically requires a NERC registered 
entity to “use anti-virus software and other malicious software (“malware”) preven- 
tion tools” (emphasis added) to “detect, prevent, deter, and mitigate the introduc- 
tion, exposure, and propagation of malware.” 

Due to the use of the term “and”, the use of antivirus technology in a registered 
entity’s malware prevention program appears to he a minimum requirement for[sic]. 
However, there are other technologies, such as whitelisting, that are superior to 
antivirus in the protection of these critical assets, but if antivirus is a minimum re- 
quirement, this standard appears to present a roadblock to registered entities using 
those newer, superior technologies in malware prevention. 

Question 1. Please explain why registered entities should be at risk for noncompli- 
ance and penalties for using a malware prevention tool other than antivirus. 

Answer. NERC has not processed violations for a case as described. The focus dur- 
ing NERC audits is on assessing how the entities are handling and mitigating the 
virus or cyber intrusion risk, and not strictly on having both methods. NERC’s focus 
is on securing virus and malware no matter the tools. 

Antivirus software is a well-understood protection method, but it is only one 
method to detect, prevent, deter, and mitigate the introduction, exposure and propa- 
gation of malware. CIP-007-3 R 4 allows for and does not prevent the use of addi- 
tional and alternative methods. When used, antivirus technologies should be used 
in conjunction with other methods, such as whitelisting, file integrity checking, and 
computer and network behavior analysis. 

Version 5 of the CIP Standards, currently being finalized, requires that entities 
“deploy method(s) to deter, detect, or prevent malicious code” and “mitigate the 
threat of identified malicious code,” thus allowing flexibility by entities to implement 
the current anti-virus and/or anti-malware paradigm, implement whitelisting, or 
choose any other method so long as it meets the requirement to deter, detect, pre- 
vent, and mitigate threats posed by malicious code. 

Responses of Gerry Cauley to Questions From Senator Murkowski 

Question 1. A few months ago the White House and the Department of Homeland 
Security staged a mock scenario for Senators featuring a cyber-attack on the grid 
in New York City. I was disappointed to learn that neither FERC nor NERC was 
invited to participate in this exercise, particularly since at no time during the brief- 
ing did the Administration ever inform members that the utility sector is already 
subject to mandatory cyber standards to protect the Bulk Power System (BPS). Why 
was FERC not invited to participate in the Administration’s grid cyber-attack exer- 
cise? How does FERC interact with DHS in the cyber arena currently? Is DHS 
aware of the cybersecurity standards currently in place for the BPS? 

Answer. NERC is unaware of the circumstances regarding why FERC was not in- 
vited to the DHS exercise; NERC is also unaware of FERC’s interaction with DHS 
in the cyber arena. NERC was not invited to participate in the White House/DHS/ 
Senate briefings and thus could not brief Members and staff on the action that Con- 
gress took in the Energy Policy Act of 2005 to address mandatory standards for 
cybersecurity for the BPS, and how that authority has been implemented. 

DHS is aware that BPS owners and operators are subject to mandatory 
cybersecurity standards. In November 2011, NERC hosted the first-ever sector-spe- 
cific distributed play security exercise, GridEx, which involved NERC’s mandatory 
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cybersecurity standards. DHS personnel, including representatives from the Indus- 
trial Control Systems Cyber Emergency Response Team and the Office of Infrastruc- 
ture Protection (including the Electricity Sub-sector Specialists), helped plan and 
execute GridEx, and participated in it. 

In addition to awareness of NERC’s standards, DHS is also aware of Alerts issued 
by NERC’s Electric Sector Information Sharing Advisory Council (ES-ISAC). NERC 
and DHS agreed to have ES-ISAC employees staff the National Cybersecurity and 
Communications Integration Center, where the ES-ISAC has access to actionable in- 
telligence, including classified contextual information available to appropriately 
cleared staff within the BPS community. NERC also provides anonymous situational 
awareness to DHS analysts to supplement the information DHS received from the 
intelligence community. This effort is crucial to improving the level of threat aware- 
ness within the industry and improving information sharing between government 
and industry. 

As I mentioned in my testimony, NERC regularly interacts with DHS, partnering 
on many efforts, including several industry task forces working to improve security 
compliance and risk management. Specifically, DHS participates in the NERC Crit- 
ical Infrastructure Protection Committee and the Electricity Sub-sector Coordi- 
nating Council. Additionally, NERC has partnered with DHS for each Cyber Storm 
exercise to educate federal partners on the BPS and industry’s response to security 
threats. 

Question 2. Many of the hearing witnesses noted that you simply cannot protect 
an entity from all potential cyber-attacks. Mr. Snitchler from the Ohio PUC cautions 
that while you can try to “gold-plate” or even “platinum-plate” a system, the critical 
infrastructure we’re trying to protect will become too expensive to run. Instead, he 
suggests we prioritize, using a risk-based approach. Please comment on the issue 
of cybersecurity costs and the suitability of using a risk-based approach. Do you 
agree with Mr. Snitchler that we should be protecting “diamonds like diamonds” 
and “apples like apples”? Is the current FERC/NERC process for addressing cyher 
security vulnerabilities risk-based? If not, why not? 

Answer. Since becoming President and CEO of NERC, I have prioritized incor- 
porating a risk based approach to reliability. We are developing a strong portfolio 
of standards that address performance, risk containment, and competency. We are 
applying a defense-in-depth strategy that has proven successful in managing risks 
in critical sectors, such as nuclear as well as the aerospace industry. I am fully con- 
fident that this approach will work well in managing risks to the reliability of the 
BPS. 

The NERC CIP Standards have always approached cybersecurity protection from 
a risk management basis. Version 4 of the CIP standards (approved by FERC ear- 
lier in 2012) established a set of impact-based “bright lines” to remove subjectivity 
from the process of determining what BPS components are deemed “critical.” Under 
this paradigm, industry resources are focused on protecting the BPS components 
that have the most impact on reliable operations. 

Version 5 of the CIP Standards will have a three-tier approach for the categoriza- 
tion of critical cyher assets. Under Version 5, industry resources will still be focused 
on protecting the components with the greatest potential to affect the BPS at the 
highest levels, while recognizing that the remaining components still contribute to 
reliable operations of the BPS, and thus must be appropriately protected. 

Question 3. What are NERC’s standard operating procedures once it receives cred- 
ible threat intelligence that may affect the bulk electric system? 

Answer. NERC’s Electricity Sector Information Sharing and Analysis Center (ES- 
ISAC) has developed different Alerts to inform industry about emerging threats. 
Alerts are different from standards, and can be developed and issued very quickly, 
depending on the urgency of the situation. 

Specifically, the ES-ISAC first reviews classified information with industry subject 
matter experts (SME) who hold the appropriate level of security clearances. As a 
part of the vetting process, a preliminary saturation and impact assessment deter- 
mines the relative significance a compromise of the targeted technology would have 
on the BPS. Once NERC and the industry SMEs determine how a compromise may 
occur and the potential impact or significance of the compromise, ES-ISAC staff and 
industry SMEs develop a draft Alert that contains specific, actionable information 
that BPS entities can use to establish a defense against tbe threat or help reme- 
diate an already existing impact. 

This draft Alert, which should be no more sensitive than “For Official Use Only,” 
is then distributed to a larger technical team of BPS SMEs called the HYDRA 
Team. The HYDRA Team is a broad coalition of industry volunteers with specialties 
in fields such as transmission, generation, planning, operations, and cybersecurity 
of industrial control systems. Typically, the vendor of the targeted technology is also 
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involved in the Alert review, as is the vulnerability researcher who discovered the 
underl 3 dng vulnerability in the technology. Members of the technical staffs of the 
DOE, DHS, and the FERC are also members of the HYDRA Team. They receive 
draft Alerts and contribute to making final Alerts valuable for the industry. 

The finalized Alert is then sent to both US (including EERC) and Canadian gov- 
ernmental authorities for their final review and comment. Thereafter, the Director 
of the ES-ISAC/Chief Cyber Security Officer approves the Alert for release to indus- 
try. When the Alert is distributed, it not only goes to NERC’s Registered Entities, 
but also to other Electricity Sub-sector participants. Alerts may also be targeted to 
groups of entities based on their NERC-registered functions (e.g.. Balancing Au- 
thorities, Planning Authorities, Generation Owners, etc.). Using this process, NERC 
has issued an alert in as little as 32 hours after receiving classified information 
about a threat. 

Question 4. On Thursday, July 19, 2012, FERC approved an order that allows the 
ERO to fine the Southwestern Power Administration up to $19,500 for violating two 
cybersecurity-related reliability standards in July 2011. Please explain the nature 
of these cybersecurity violations. I understand that DOE believes the federal govern- 
ment is exempt from such penalties under the Federal Power Act. Please specify for 
the Committee why the federal government is, in fact, subject to compliance with 
the FERC/NERC reliability standards, including cybersecurity standards. 

Answer. The Southwestern Power Administration (SWPA) violated NERC CIP- 
004-1 (Cyber Security — Personnel and Training) and CIP-007-1 (Cyber Security — 
Systems Security Management). CIP-004-1 sets out requirements for personnel that 
have authorized cyber access or authorized unescorted physical access to Critical 
Cyber Assets, including requirements related to personnel risk assessment, training, 
and security (including cyber security). CIP-007-1 sets out requirements related to 
security systems determined to be Critical Cyber Assets and other assets within an 
“Electronic Security Perimeter.” 

Agencies and instrumentalities of the federal government that are users, owners 
and operators of the bulk power system (such as the Tennessee Valley Authority 
and the Bonneville Power Administration) are subject to compliance with the FERC/ 
NERC Reliability Standards, including cybersecurity standards. DOE has recog- 
nized that such entities are subject to the Reliability Standards, but it has taken 
the position that neither EERC nor NERC may impose financial penalties on those 
entities for violation of the standards. 

By way of background. Section 215(c) of the Eederal Power Act (FPA), 16 U.S.C. 
§ 824o(c), authorizes FERC to certify and oversee an electric reliability organization 
(ERO) responsible for developing and enforcing mandatory Reliability Standards 
that are applicable to all users, owners and operators of the Bulk-Power System 
(BPS). FERC certified NERC as the ERO in 2006, ^ and has since approved over one 
hundred national Reliability Standards as mandatory and enforceable, pursuant to 
EPA Section 215(d). 

FPA Section 215(b) (1), “Jurisdiction and applicability,” describes FERC’s reli- 
ability jurisdiction as follows: 

The Commission shall have jurisdiction . . . over ... all users, owners 
and operators of the bulk-power system, including but not limited to the en- 
tities described in section 201(f) . . . for purposes of approving reliability 
standards established under this section and enforcing compliance with 
[FPA Section 215]. All users, owners and operators of the bulk-power sys- 
tem shall comply with reliability standards that take effect under this sec- 
tion. 

Because they are described in FPA Section 201(f), agencies or instrumentalities 
of the United States are expressly included within the term “users, owners, and op- 
erators of the bulk-power system” in Section 215 and made subject to FERC’s juris- 
diction to both approve and enforce reliability standards. The requirement in FPA 
Section 215(b)(1) that all users, owners and operators of the bulk-power system 
must comply with reliability standards that take effect under Section 215 thus ap- 
plies to Federal entities. 

In orders issued since 2009, FERC has held consistently that a federal entity that 
uses, owns or operates the Bulk-Power System must comply with mandatory Reli- 


1 North American Electric Reliability Corp., 116 FERC § 61,062, order on reh’g and compli- 
ance, 117 FERC § 61,126 (2006), order on compliance, 118 FERC § 61,190, order on reh’g 119 
FERC § 61,046 (2007), affd suh nom. Alcoa Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). 
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ability Standards.^ Most recently, in its July 19, 2012 order, FERC found that Sec- 
tion 215 explicitly conveys authority to assess a monetary penalty against a federal 
entity that is a user, owner, or operator of the Bulk-Power System for violations of 
a mandatory Reliability Standard.® FERC rejected arguments that the grant of en- 
forcement authority under FPA Section 215 is limited by the scope of the Commis- 
sion’s general civil penalty authority over federal entities, as set out in FPA Section 
316A, and instead found that the separate grant of penalty authority over federal 
entities under FPA Section 215 is “explicit and unambiguous.” FERC found that this 
penalty authority under FPA Section 215(e) applies to both the ERO and the Com- 
mission. 

Response of Gerry Cauley to Question From Senator Barrasso 

Question 1. In your testimony, you encourage Congress to “facilitate information 
sharing between the public and private sector.” You recommend “making more 
clearances available to industry, identifying alternative methods to communicate 
classified information to our Canadian partners, and encouraging increased informa- 
tion sharing by US Government departments and agencies with asset-owners.” 
Would you please expand upon the steps Congress should take to facilitate informa- 
tion sharing between the Federal government and industry? 

Answer. The most important action that can be taken to address cybersecurity is 
improving information sharing. Improved information sharing depends on a funda- 
mental understanding by government that the private sector owners and operators 
of the BPS need to know as much as possible about a threat, as soon as possible, 
so that they can take the appropriate action. The owners and operators of the BPS 
know their systems and the consequences that actions taken in one part of the BPS 
may have for another part. They cannot merely be told that there is a threat; they 
must be provided with sufficient information about the threat so that proper mitiga- 
tion measures can be developed. In NERC’s experience, this has been difficult for 
government security professionals to understand. As I noted in the hearing, it took 
more than three years to get actionable information from the government on the Au- 
rora vulnerability. Once that information became available in a form that NERC 
could share with industry, NERC issued an Alert to industry, and industry then 
began developing mitigation plans. 

Any action Congress can take to make more secret-level clearances available to 
the Electricity Sub-sector would assist in information sharing efforts. Individuals 
from the Electricity Sub-sector should be able to access and analyze classified infor- 
mation and share it among other cleared partners. In addition, in the instance of 
a cyber attack, these individuals should be assured that they have access to local 
secure centers, such as fusion centers or local Federal Bureau of Investigation of- 
fices. 

Continued support for NERC’s existing cybersecurity efforts, including NERC 
standards and the Electricity Sector Information Sharing and Analysis Center (ES- 
ISAC), the Electric Sector Coordinating Council and NERC’s grid security exercise 
and conference, which provide forums for improving information concerning 
cybersecurity among the public and private sector, is appreciated. NERC’s ES-ISAC 
is one of the most effective tools NERC has to inform industry about emerging 
cybersecurity threats through Alerts. As I mentioned in my testimony, the ES-ISAC 
partners with several industry and government organizations to not only share crit- 
ical cyber information, but to also develop these Alerts. 

Also, reflecting the international nature of the BPS, NERC is responsible for en- 
suring the reliability of the BPS within the US and Canada. Currently, NERC is 
unable to share sensitive information regarding cyher threats or vulnerabilities with 
our Canadian partners. We are aware that the government has mechanisms in place 
to facilitate government-to-government information sharing at classified levels. Fur- 
ther work needs to be done to facilitate information sharing with industry officials 
in Canada, as well. 


Responses of Joseph McClelland to Questions From Senator Bingaman 

Question 1. You testify that the majority of the Directives that FERC issued in 
Order No 706 have yet to be addressed. Could you describe some of the most impor- 
tant of them? 


2 North American Electric Reliability Corp., 129 FERC § 61,033 (2009) (2009 Jurisdictional 
Order), reh’g denied, 130 FERC § 61,002 (2010); North American Electric Reliability Corp., 133 
FERC § 61,214 (2010), reh’g denied, 137 FERC § 61,044 (2011). 

® North American Electric Reliability Corporation, 140 FERC § 61,048 (2012). 



61 


Answer. First, the Commission directed NERC to develop a process of external re- 
view and approval of critical asset lists in order to ensure that the proper assets 
were consistently covered by the CIP standards under a system that depends on the 
entities to self-designate their equipment. In Order No. 761, the Commission stated 
that the adoption of appropriate, bright line criteria for Critical Asset identification 
may obviate the need for an external review. However, as stated in that order, 
whether this development ultimately eliminates the need for an external review 
process as directed in Order No. 706 will depend on the discretion allowed to indi- 
vidual registered entities to self-identify and characterize assets or systems for crit- 
ical infrastructure protection to support the nation’s bulk-power system. It also will 
depend on whether the bright line criteria generally include adequate facilities. Sec- 
ond, Order No. 706 directed the ERO to require immediate revocation of access 
privileges when an employee, contractor or vendor no longer performs a function 
that requires physical or electronic access to a critical cyber asset for any reason 
(including disciplinary action, transfer, retirement, or termination). 

Question 2. Some have argued that FERC has the authority to order NERC to 
produce a fairly specific standard. Could you do so, and if you did what would be 
the process then? 

Answer. The Commission can direct NERC to develop a reliability standard to ad- 
dress a specific reliability matter. However, the Commission cannot ensure that the 
content of the standard returned to it by NERC will adequately respond to the spe- 
cific reliability matter as the Commission may not directly author or modify a reli- 
ability standard under section 216. Under section 215, reliability standards must be 
developed by the ERO through an open, inclusive, and public process. The NERC 
process is intended to develop consensus on both the need for, and the substance 
of, the proposed standard. Although inclusive, the process is relatively slow, open 
and unpredictable in its responsiveness to the Commission’s directives. 

Responses of Joseph McClelland to Questions From Senator Murkowski 

Question 1. A few months ago the White House and the Department of Homeland 
Security staged a mock scenario for Senators featuring a cyber-attack on the grid 
in New York City. I was disappointed to learn that neither FERC nor NERC was 
invited to participate in this exercise, particularly since at no time during the brief- 
ing did the Administration ever inform members that the utility sector is already 
subject to mandatory cyber standards to protect the Bulk Power System (BPS). Why 
was FERC not invited to participate in the Administration’s grid cyber-attack exer- 
cise? How does FERC interact with DHS in the cyber arena currently? Is DHS 
aware of the cybersecurity standards currently in place for the BPS? 

Answer. I do not know why the Commission was not involved in this exercise. 
That question is best answered by those who organized the exercise. 

With respect to the Commission’s interaction with DHS, Commission staff works 
closely with the DHS both on an informal basis and through formalized processes 
such as the Industrial Control Systems Cyber Emergency Response Team (ICS- 
CERT), the Cyber Unified Coordination Group, and the National Protection and Pro- 
grams Directorate at DHS. Commission staff meets monthly with the Nuclear Regu- 
latory Commission (NRC), Federal Bureau of Investigation (FBI), and the Depart- 
ment of Energy (DOE) at the Top Secret/ Sensitive Compartmented Information 
level to discuss events and threats. Meetings with ICS-CERT are also conducted as 
required to discuss imminent threats and events that could impact the security of 
the electric grid. The meetings take place so the ICS-CERT can provide guidance 
to entities on how to address these issues. 

Question 2. Many of the hearing witnesses noted that you simply cannot protect 
an entity from all potential cyber-attacks. Mr. Snitchler from the Ohio PUC cautions 
that while you can try to “gold-plate” or even “platinum-plate” a system, the critical 
infrastructure we’re trying to protect will become too expensive to run. Instead, he 
suggests we prioritize, using a risk-based approach. Please comment on the issue 
of cybersecurity costs and the suitability of using a risk-based approach. Do you 
agree with Mr. Snitchler that we should be protecting “diamonds like diamonds” 
and “apples like apples”? Is the current FERC/NERC process for addressing cyber 
security vulnerabilities-risk based? If not, why not? 

Answer. In general, the use of a risk-based approach to identify assets that are 
critical to the operation of the Bulk Power System can be suitable. The cost of cyber 
protection must be considered against both the effectiveness of the measures and 
the impact that the facilities in-question can have on the reliability of the Bulk 
Power System. However the designation of “diamonds” does not just depend upon 
the size or expense of the equipment, but also depends upon the connectivity of the 
equipment, whether it can be compromised and, in turn, be used to compromise 
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other equipment that may alone or in aggregate successfully compromise the oper- 
ation of the Bulk Power System or the customers it serves. 

The currently applicable CIP standards include a risk-based methodology to deter- 
mine which facilities are “critical assets and the associated critical cyber assets,” 
and therefore are subject to the requirements of the CIP reliability standards. How- 
ever these standards allow utilities significant discretion to determine which of their 
facilities fit that description. The recently-approved Version 4 CIP Reliability Stand- 
ards, which will go into effect on April 1, 2014, replace this risk-based assessment 
with “bright line” criteria. Version 4 relies upon the affected entities to self-des- 
ignate their “Critical Cyber Assets”. Only facilities that are self-designated by the 
regulated entities as “Critical Cyber Assets” are covered under the CIP standards. 
In order to help guide their decisions, the CIP standards identify categories of “Crit- 
ical Assets” as a starting point in the process. If the entities have any “Critical As- 
sets” (i.e., such as generating stations at 1600 MW or above, reactive power supplies 
at 1000 MVAR or above, transmission facilities at 500 kV or above, etc.), they are 
then required to determine if they have any “Critical Cyber Assets” at these facili- 
ties and if they decide that they do, those facilities will fall under the CIP stand- 
ards. Entities can only designate “Critical Cyber Assets” from the “Critical Asset” 
list. 

In Order No. 761, the Commission supported the application of the tiered-ap- 
proach in the National Institute of Standards and Technology (NIST) Framework. 
That framework would, among other things, (1) ensure that all Cyber Systems asso- 
ciated with the Bulk-Power System, based on their function and impact, receive 
some level of protection; (2) customize protection to the mission of the cyber systems 
subject to protection; and (3) apply a tiered approach to security controls that speci- 
fies the level of protection appropriate for systems based upon their importance to 
the reliable operation of the Bulk-Power System. The Commission stated that incor- 
porating these applicable features of the NIST Framework into the CIP Reliability 
Standards would be a positive step in improving cyber security for the Bulk-Power 
System. In addition to considering the NIST Framework, the Commission in Order 
No. 761 stated that the criteria adopted for the purpose of identifying Critical Cyber 
Assets should include a cyber asset’s “connectivity” and its potential to compromise 
the reliable operation of the Bulk-Power System. Therefore, we expect Version 5 to 
address these issues. NERC, in its comments to the CIP Version 4 proceeding, stat- 
ed that it is incorporating into the Version 5 CIP Reliability Standards the NIST 
risk-based approach. 

Question 3. We hear a lot about the potential benefits from smart grid systems, 
including reduced rates and improved reliability. However, we’re starting to hear 
more about an unintended consequence from smart grid systems — namely that the 
smart grid’s reliance on IT systems and networks exposes the electric grid to 
cybersecurity vulnerabilities which could be exploited by attackers. In the 2007 en- 
ergy bill. Congress directed NIST to develop smart grid interoperability standards 
that FERC would later adopt. I understand that while NIST has developed these 
standards, FERC has not yet taken action because of a lack of consensus on the 
standards. 

a. The 2009 stimulus bill provided over $4 billion in smart grid funding before 
these NIST interoperability standards were even developed. In fact, the stim- 
ulus bill provided $10 million in funding for NIST to perform the standard de- 
velopment work. What cybersecurity protections were included in the smart grid 
assets purchased with stimulus money? Doesn’t it cost more to implement secu- 
rity after the network is already up and running? 

Answer. I do not know what cyber security protections were included in any as- 
sets purchased with the stimulus money, since this program was administered by 
the Department of Energy. Generally, it costs more and may be less effective to im- 
plement security after a network is installed. 

b. GAO has previously suggested that FERC monitor industry compliance 
with NIST’s voluntary smart grid standards. Has the Commission done so? If 
not, why not? What is FERC doing in the smart grid arena with regard to 
cybersecurity standards? 

Answer. The Commission has not monitored compliance with NIST’s voluntary 
smart grid standards. Much of the smart grid involves facilities used in local dis- 
tribution, which are not under the Commission’s Federal Power Act (FPA) jurisdic- 
tion. However, Commission staff attends and observes meetings of the NIST Cyber 
Security Working Group, Smart Grid Task Force, and participates in a collaborative 
with the National Association of Regulatory Utility Commissioners concerning the 
smart grid. Commission staff also regularly performs outreach to NIST and the 
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Smart Grid Interoperability Panel and is following the development of smart grid 
standards. Commission staff also monitors developments of the North American 
Synchrophasor Initiative (NASPI) relative to applicable cyber security standards. 
Lastly, pursuant to its FPA 215 responsibilities Commission staff attend and par- 
ticipate in the NERC standards development process — including the CIP standards. 
Commission staff offers guidance that can include information relevant to the smart 
grid. 

Question 4. You testified that because FERC’s Federal Power Act authority does 
not extend to local distribution facilities there may be some “significant facilities 
[that are] vulnerable to the threat of a cyher or physical attack.” Mr. Snitchler’s tes- 
timony included a snapshot of state actions, including those undertaken in New 
York, that demonstrate a proactive stance on cyber security. Are there particular 
cities or local facilities where FERC is concerned no action has been taken by your 
state counterparts to protect their distribution system from cyber incursions? 

Answer. I cannot identify specific cities or local facilities where no action has been 
taken by the states but am aware of the types of risks which such facilities might 
be facing. 

Question 5. Throughout your testimony you note your frustration with the time 
it takes for NERC and its stakeholder process to develop these cybersecurity stand- 
ards. However, NERC filed its enhanced Critical Cyber Asset Identification Stand- 
ard (CIP-002 version 4) with the Commission in February 2011 and it took FERC 
a full 14 months to approve that revision. Why is it taking so long for the Commis- 
sion to act on such filings and what can the Commission do by way of improvement? 

Answer. In general, the Commission could shorten the time to process the NERC 
filings using an Order versus a Notice of Proposed Rulemaking (NOPR). The NOPR 
process requires the Commission to propose Commission action on the standard. 
The Commission must then solicit comments on the NOPR and issue a Final Rule 
on the proposed standard. Although longer, the NOPR process allows for open com- 
munication between the Commission and the commenters including opportunities 
for meetings between Commission members and individual stakeholders and indus- 
try interest groups on the Commission’s proposed dispositions. Because the Commis- 
sion may not directly author or modify a reliability standard under section 215, the 
NOPR process is the most effective way to detail the Commission’s concerns regard- 
ing a proposed reliability standard before issuing a final rule regarding that stand- 
ard. In Order No. 693, the Commission stated that it anticipates that it will address 
most, if not all, new Reliability Standards proposed by NERC through the more 
open rulemaking process which has been strongly preferred by industry. Addition- 
ally, the CIP cyber security standards are extremely technical and it takes both the 
Commission time to appropriately analyze them and the industry time to prepare 
its comments to the Commission proposed rule. These procedures, which ensure the 
Commission has a sufficient record on which to act on the technical aspects of the 
cyber security standards, take time to implement. 

Specifically with respect to the Version 4 standards, on February 10, 2011, NERC 
filed a petition seeking Commission approval of the Version 4 CIP Reliability Stand- 
ards. On April 12, 2011, Commission staff issued a data request to NERC in order 
to receive supplemental information necessary to understand the filing because the 
filing lacked information necessary for the Commission to process them. On April 
13, 2011, NERC requested an extension of time to respond to a portion of the Com- 
mission’s April 12, 2011 data request. The Commission granted this request, and 
NERC provided the information on May 27, 2011 and June 30, 2011. The Commis- 
sion issued the Notice of Proposed Rulemaking September 15, 2011 and allowed 60 
days from publication in the Federal Register for the industry to comment, or No- 
vember 21, 2011. The Commission then issued the final rule on April 19, 2012, 150 
days later, after reviewing comments from 28 entities and reply comments from 
NERC. 

Question 6. The electricity sector has told us that what it needs in the event of 
a cybersecurity emergency is timely, specific, and actionable information. Does 
FERC agree? What do the words “timely, specific and actionable” mean to FERC? 

Answer. I agree with this statement. I believe that “timely, specific and action- 
able” means that, to prevent a significant risk of disruption to the grid, the informa- 
tion should allow mitigating action to be taken before a cyber security event. Be- 
cause cyber events have the ability to compromise multiple systems simultaneously, 
both prevention and quick intervention are keys. Sufficient and accurate informa- 
tion about both the vulnerability and the targeted systems must be available to de- 
velop specific details regarding how to defend, mitigate, or eradicate a cyber attack 
as quickly as possible, which may require pre-emptive mandatory actions in order 
to be effective. Specific and actionable means that the information must he detailed 



64 


in a manner for the owner/operators to be able to quickly apply the mitigations to 
the equipment allowing for prevention or mitigation of a cyber attack. 

Question 7. On Thursday, July 19, 2012, FERC approved an order that allows the 
ERO to fine the Southwestern Power Administration up to $19,500 for violating two 
cybersecurity-related reliability standards in July 2011. Please explain the nature 
of these cybersecurity violations. I understand that DOE believes the federal govern- 
ment is exempt from such penalties under the Federal Power Act. Please specify for 
the Committee why the federal government is, in fact, subject to compliance with 
the FERC/NERC reliability standards, including cybersecurity standards. 

Answer. That order is subject to rehearing, so I cannot comment at this time on 
the issues presented in the proceeding. For your convenience, attached is the Com- 
mission’s order in that proceeding. 

Responses of Joseph McClelland to Questions From Senator Barrasso 

In your testimony, you state that “[t]he Commission is committed to protecting 
the reliability of the nation’s bulk electric system.” However, I am concerned that 
the Commission, under Chairman Wellinghoff, has downplayed the cumulative im- 
pact of EPA’s new and proposed regulations on electric reliability. On May 17, 2011, 
Senator Murkowski sent a letter to Chairman Wellinghoff inquiring about the im- 
pact of EPA’s regulations on reliability. Commissioner Norris has testified that he 
had three conversations last year with Heather Zichal, Deputy Assistant to the 
President for Energy and Climate Change Policy, “regarding FERC staffs review of 
EPA regulations.” Commissioner Norris testified that Ms. Zichal contacted him on 
two occasions — in late June or July of 2011 — “for information on the timing of the 
FERC studies on the reliability impact of the pending EPA Rules and the timing 
of FERC responses to Sen. Murkowski’s questions to the Commissioners.” Notably, 
Chairman Wellinghoff and Commissioners Norris and LaFleur did not respond to 
Senator Murkowski until August 1, 2011 — more than two months after receiving the 
Senator’s letter. In their response, the Chairman and Commissioners Norris and La- 
Fleur revealed that your staff had — after almost one year — completed only an “infor- 
mal assessment” of the impact of EPA’s regulations on reliability. Your staffs anal- 
ysis found that as much as 41 GW of coal-fired generating capacity was “very likely” 
to retire, with another 40 GW “likely” to retire, on account of EPA’s regulations. On 
September 14, 2011, Chairman Wellinghoff testified before the House Subcommittee 
on Energy and Power and characterized your staffs analysis as “back-of-the-enve- 
lope.” However, your staffs analysis, as far as I can tell, is turning out to be a rea- 
sonably accurate prediction of the retirements. I am concerned that it took an in- 
quiry from this Committee to bring your staffs analysis to light. I am also con- 
cerned about the timing of that analysis. 

Question 1. Have you or any member of your staff had any direct or indirect con- 
tacts or exchanges, in person, by telephone, electronic mail, or otherwise (e.g., to- 
gether with or in the company of the Chairman or any Commissioner(s)), with Ms. 
Zichal or anyone in the Executive Office of the President (EOP) about the potential 
impact of EPA’s regulations on electric reliability or on any other subject (e.g., the 
“informal assessment” as Chairman Wellinghoff used the term in his correspondence 
with Senator Murkowski, or “FERC staffs review” or “FERC studies” as Commis- 
sioner Norris used the terms in his testimony)? If so, please list the dates the con- 
tacts or exchanges took place and provide the names and titles of the individuals 
involved in these contacts or exchanges. 

Answer. To the best of my knowledge, neither I nor my staff has had any direct 
or indirect contacts with Ms. Zichal or anyone in the Executive Office of the Presi- 
dent on these issues, except as noted in the Chairman’s response to Senator Mur- 
kowski’s May 17, 2011 letter. 

Question 2. What was the purpose and the subject matter of the contact(s) or ex- 
change(s) you have identified in question 1? 

Question 3. Have you or any member of your staff advised or provided any infor- 
mation to the Chairman or any of the Commissioners in connection with any contact 
or exchange (to include, as in question 1 above, in person, by telephone, electronic 
mail, or otherwise) that the Chairman or any Commissioner may have had with Ms. 
Zichal or others in the EOP? If so, (a) what was the purpose and the subject matter 
of the advice or information you or your staff gave to the Chairman or Commis- 
sioners) in connection with contacts or exchanges with Ms. Zichal or others in the 
EOP; and (b) please list the dates the contacts or exchanges took place and provide 
the names and titles of the individuals involved in these contacts or exchanges. 

Answer. No 
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Response of Todd A. Snitchler to Question From Senator Bingaman 

Question 1. Mr. Wilshusen has recommended that FERC coordinate with the 
states and other nonjurisdictional entities (such as Coops or munis) to evaluate the 
extent to which utilities are complying with voluntary standards and to develop 
strategies for addressing gaps in compliance. Does that sound like a recommenda- 
tion that you would welcome? Would it work, given the splits in jurisdiction, dif- 
ferences in state laws and regulations and the fact that many entities are jurisdic- 
tional neither at the state or federal level? 

Answer. Reco^ition must be given that voluntary standards are, indeed, vol- 
untary. By requiring utilities to develop strategies for addressing “gaps in compli- 
ance”, these “voluntary” standards then become ones which are mandatory. I do not 
believe we are all (FERC, states, utilities) in agreement with respect to mandatory 
standards or which standards, if any, ought to be mandatory. However, I believe 
that there could be benefits to having increased coordination between the states, 
non-jurisdictional entities, jurisdictional utilities, and the federal government in ad- 
dition to the existing FPA §215 process. A collective meeting of the parties would 
be useful in sorting out and resolving these issues. 

Response of Todd A. Snitchler to Question From Senator Murkowski 

Question 1. You note that the Ohio PUC has worked closely with the Wright Pat- 
terson Air Force Base. What can you tell us about your state’s efforts in working 
with the military? 

Answer. The Public Utilities Commission of Ohio has met with Wright Patterson 
Air Force Base (WPAFB) representatives on a variety of topics and issues over the 
years. Our staff addressed WPAFB representatives on energy assurance issues back 
in 2009. At that time, the PUCO encouraged WPAFB personnel to engage in mean- 
ingful discussions with their local electric utility regarding the specific needs and 
concerns for base operations, enhanced reliability requirements, and mitigating 
threats to these enhanced reliability requirements (including generation/supply, dis- 
tribution/delivery, and system security — physical as well as cyber). Also at that 
time, the PUCO offered to facilitate those discussions, but was assured that appro- 
priate base personnel would work directly with the appropriate utility personnel on 
these issues. Subsequently, the PUCO extended an invitation to WPAFB representa- 
tives to participate in Ohio’s Energy Assurance tabletop exercise conducted in June 
2011; a major component of the event featured a cybersecurity panel discussion with 
representatives from: the U.S. Department of Energy’s Cybersecurity for Energy De- 
livery Systems (CEDS) program; the Supervisory Special Agents for the Cyber 
Squads in the Cincinnati and Cleveland Divisions of the U.S. Federal Bureau of In- 
vestigation; a Cyber Security Advisor from the U.S. Department of Homeland Secu- 
rity’s National Cyber Security Division; the two Protective Security Advisors from 
the U.S. Department of Homeland Security’s Office of Infrastructure Protection 
which serve the State of Ohio; and Ohio’s Homeland Security Advisor. Additionally, 
the PUCO met with representatives from the electric utility serving WPAFB as 
early as 2009 to discuss the utility’s cybersecurity program and posture. 

The PUCO also was instrumental in working with the U.S. Air Force at WPAFB 
to eliminate our nation’s, and especially our military’s, dependence on foreign oil. 
Research into synthetic fuel from domestic coal, shale, biomass, and other sources 
using the Fischer-Tropsch process in order to reduce our dependence on foreign oil 
and achieve greater price stability has resulted in the creation of the Assured Aero- 
space Fuels Research Facility (i^FRF). This lab was created to perform essential 
research and development of these coal-to liquid, biomass-to-liquid, and shale-to-liq- 
uid synthetic fuel technologies. It serves as an excellent research tool for profes- 
sional researchers from government, academia, and industry as well as training 
grounds for creating skilled operators, technicians, and researchers for future com- 
mercial facilities. 

Responses of Todd A. Snitchler to Questions From Senator Barrasso 

Question 1. In your testimony, you state that “one-size solutions for cybersecurity 
may not be the most effective means to mitigate and reduce known vulnerabilities.” 
Would you expand upon your comments for the Committee? 

Answer. Broad-based principles regarding good cybersecurity practices may be 
more appropriate for utility applications. Industrial Control Systems (ICS) and Su- 
pervisory Control And Data Acquisition Systems (SCADA) tend to be very special- 
ized equipment monitoring and controlling extremely complex networks. What may 
he considered a best-practices approach for one control system may not function as 
a best-practices approach for a different control system. The existing differences in 
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approaching cybersecurity utilized by the utilities and also the RTOs actually has 
a positive effect in that an attack on one utility’s system will not necessarily bring 
down all systems because each has its own method of ensuring their cybersecurity. 
By allowing disparate approaches to solving the cybersecurity issue, while estab- 
lishing the broad based, best practices, we potentially strengthen defenses against 
attacks to the grid. 

Question 2. In your testimony, you state that “smart grid [technology] fundamen- 
tally makes the electric system more secure.” However, you also say that “this tech- 
nology brings with it new vulnerabilities. . .which should be taken extremely seri- 
ously.” Would you expand upon the vulnerabilities that smart grid technology brings 
to our electric grid? 

Answer. The “Smart Grid” too often is defined as being synonymous with “smart 
meters” or advanced metering infrastructure (AMI). Other important portions of the 
Smart Grid often overlooked include synchrophasors, protective relays, reclosers, 
and substation automation, among others. These components improve fault-detec- 
tion capabilities and enable self-healing of the electricity grid. Taken as a whole, 
these technologies do make the electric system more secure and more reliable. The 
additional vulnerabilities are introduced by converting previously one-directional 
flows of power and information to become bi-directional. As additional points of data 
collection and gathering are introduced, so, too, are there additional points where 
hackers or other non-native data sources may introduce false information feeds into 
the network in an attempt to cause disruptions or system actions undesirable to the 
system operators. Finally, each new potential access point creates a remote source 
of entry to the system. It is essential to security protocols that proper backstopping 
from those potential entry points ensure that remote access is denied and the sys- 
tem is able to lock out or compartmentalize the access points to ensure that access, 
if secured, can be isolated and prevent substantial harm to the system. 

Question 3. In your testimony, you explain that state regulators and industry “are 
unable to provide the. . .protection necessary to help secure our nation’s critical in- 
frastructure if the relevant Federal agencies do not provide actionable information 
to address imminent threats.” You go on to say that “asset owners who provide in- 
formation about their systems to Federal agencies in the spirit of coopera- 
tion. . .never receive truly meaningful, actionable, timely information in return.” 

a. Do you know why the Federal government is not sharing this information 
with state regulators and industry? 

Answer. An often-cited answer is lack of security clearances in order to share spe- 
cific threat information with state regulators or industry. This is understandable for 
specific threat information. Present practice provides monthly or intermittent threat 
briefings to the electricity sector, yet such threat information is often too stale or 
so non-specific as to be un-actionable. Surely an opportunity exists to provide more 
timely or actionable information without disclosing classified information. Address- 
ing this fundamental problem would be a tremendous help to state regulators and, 
I expect, to the electricity industry. For instance, in the case of the “Aurora” situa- 
tion, the federal government and its regulators in essence told the electric utility 
sector, “we have a secret problem on our hands and we can’t tell you what it 
is. . . .now go fix it.” In this specific case, the government knew of a vulnerability 
(they created it in a lab), and wanted that vulnerability addressed yet would not 
or could not disclose that information at that time. There must be a way for the 
federal government to provide such actionable intelligence in a timely manner so 
that those that need to take action know what action to take before the vulner- 
ability becomes a threat and a threat becomes a tragedy. 

b. Do state regulators and industry lack the security clearances necessary to 
obtain this information? 

Answer. A lack of security clearances by regulators and utilities often is cited as 
the primary impediment to sharing of information by the federal government. How- 
ever, granting additional regulatory authority to FERC or another federal agency 
does nothing to change that fact. Therefore, it would appear that it might be worth 
some time devising a means for the federal government to share relevant, action- 
able, and timely information with state regulators and utilities without divulging 
the methods or sources by which that information has been obtained. Additionally, 
the federal agencies responsible for providing security clearances should establish 
a consultative process with those in the electricity sector (state government and in- 
dustry) to identify to whom or to which positions within the industry and/or state 
government ought to be provided an opportunity to gain the necessary clearance and 
at what level. The agencies should then be instructed to establish a procedure to 
thoroughly review and process these requests. In order to secure timely transfer of 
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information, select members of state commissions and/or utilities should be consid- 
ered for security approval and permitted access to information critical to mainte- 
nance and protection of the grid. 

Question 4. In your testimony, you state that “our utilities can provide a ‘gold- 
plated’ or even a ‘platinum-plated’ system which is ultra-cyher secure.” However, 
you go on to ask “how much more do we want a kilowatt hour of electricity to cost?” 
Would you discuss the potential impact of new cyber security investments on rate- 
payers? 

Answer. It is difficult to assess a financial cost of cybersecurity investments im- 
posed by a federal regulatory agency not yet granted the authority to order such 
investments. It also is difficult to ascertain what cybersecurity requirements might 
be imposed by such a scheme. Yet, nothing is too expensive for one who doesn’t have 
to pay the bill. 

My point is this: there are risks these businesses must manage everyday in run- 
ning their utility systems. Cyhersecurity is one more of those risks that must be 
managed. There is a definite role for the federal and state governments to assist 
these critical infrastructures in securing their networks. But, as stated above, a 
best-practices approach for one utility, when applied to another utility, may not 
have the same positive impact on that second utility’s cybersecurity posture. In 
other words, what may be prudent and necessary cybersecurity infrastructure ex- 
penditures for a utility system in Washington, DC, which houses much of our fed- 
eral government, may not be appropriate in Houston, Texas, which houses petro- 
leum refining. And neither of the appropriate cybersecurity expenditures in those 
two instances may he prudent to a utility serving Pleasantville, Ohio. The oppor- 
tunity exists for the federal and state governments to ensure appropriate cost recov- 
ery for necessary cyhersecurity remediations or enhancements. Undoubtedly, these 
utility control systems must become more secure and resilient; but most beneficial 
would be federal guidance to the electricity sector and state regulatory bodies that 
would assist us in determining how to best direct scarce resources in the most cost- 
effective appropriate fashion to he directed against the most imminent threats and 
against the likely vulnerabilities to the electricity sector. 

In the end, we cannot, and we should not, expend resources on every known vul- 
nerability: it would just be too expensive. For instance, to use the analogy of phys- 
ical security, we could place 24-hour manned guardhouses at the base of each major 
electric transmission tower in order to prevent the vulnerability of a terrorist bring- 
ing down the grid with the destruction of multiple towers in several key locations. 
However this would be a very expensive solution for a low probability vulnerability. 
We must address the cyhersecurity threats and vulnerabilities just as we address 
the physical security threats and vulnerabilities to our nation’s infrastructure. 

Question 5. At what point do the costs and vulnerabilities associated with smart 
grid technology outweigh the value for ratepayers? 

Answer. There is no simple answer to the question posed here. The experience of 
power outages brought on by storm activity is fundamentally no different than a 
cyber attack that may disable the grid. A cost-benefit analysis must be performed — 
either explicitly or implicitly — to ascertain if the costs associated with the risk are 
worth the benefit achieved by implementation of the grid. 

The self-healing ability of the smart grid, shorter outage times and increased reli- 
ability are all substantial benefits as a result of the use of the smart grid. Further, 
in restructured markets customers have greater access to options to control their 
utility usage and control their costs, as well as the increasingly varied pricing op- 
tions available are all dependent on the utilization of the smart grid tools. 


Government Accountability Office, 

Washington, DC, August 2, 2012. 

Hon. Jeff Bingaman, 

Chairman, Committee on Energy and Natural Resources, U.S. Senate. 

Subject: Responses to Questions for the Record; Hearing on Status of Action Taken 
to Ensure that the Electric Grid Is Protected from Cyber Attacks 

This letter responds to your July 26, 2012, request that we reply to additional 
questions arising from the Committee’s July 17, 2012, hearing on the status of ac- 
tions to protect the electricity grid from cyber attacks. At the hearing, we discussed 
(1) cyber threats facing cyber-reliant critical infrastructures, which include the elec- 
tricity grid, and (2) actions taken and challenges remaining to secure the grid 
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against cyber attacks. ^ The enclosure provides our responses, which are primarily 
based on previously issued products that were performed in accordance with gen- 
erally accepted government auditing standards.^ 

Should you or your office have any questions on the matters discussed in this let- 
ter, please contact me at (202) 512-6244 or wilshuseng@gao.gov or David C. Trimble, 
Director, Natural Resources and Environment, at (202) 512-3841 or 

trimbled@gao.gov. 

Sincerely yours, 

Gregory C. Wilshusen, 
Director, Information Security Issues. 

[Enclosure.] 


Responses to Questions From Senator Bingaman 

Question 1. You recommend that FERC develop an approach to coordinate with 
state regulators and entities that are not subject to state regulation to evaluate the 
extent to which utilities and manufacturers are following voluntary standards, and 
to develop strategies for addressing gaps in compliance with standards. What en- 
courages you to believe that efforts like this could be successful? 

Answer. Electricity industry regulation is fragmented, with oversight responsi- 
bility divided among various regulators at the federal, state, and local levels. Such 
regulatory fragmentation can make it difficult for individual regulators to develop 
an industry-wide understanding of whether utilities and manufacturers are fol- 
lowing voluntary standards. This is due to the large number of regulators in the 
industry-the Federal Energy Regulatory Commission (FERC), electricity regulators 
in 50 states and the District of Columbia, and regulators of thousands of cooperative 
and municipal utilities-and their potentially limited visibility over parts of the grid 
outside their jurisdiction. This complex reality of electricity regulation led us to be- 
lieve that a coordinated approach to monitoring whether utilities and manufacturers 
follow voluntary standards would be more successful than an approach in which one 
or more regulators attempted such an assessment on its own. We are encouraged 
by the fact that FERC has previously worked with state regulators and groups rep- 
resenting entities not subject to state regulation on a range of issues. For example, 
we reported that FERC and the state commissions had already begun initial collabo- 
ration on smart grid and demand-response issues,^ and these and other entities 
have also collaborated on other topics, including issues related to Regional Trans- 
mission Organizations and electric reliability and environmental regulations. 

Question 2. I think that you are primarily talking about the NIST smart grid 
standards that FERC did not adopt because they did not find sufficient consensus 
in the industry to do so. Do you believe that FERC has the authority to adopt those 
standards without such consensus? 

Answer. Section 1305(d) of the Energy Independence and Security Act (EISA)'' 
provides that any time after the National Institute of Standards and Technology’s 
(NIST) work has led to sufficient consensus in FERC’s judgment, FERC shall insti- 
tute a rulemaking proceeding to adopt such standards and protocols as may be nec- 
essary to ensure smart-grid functionality and interoperability. In July 2011, FERC 
declined to institute a rulemaking procedure to adopt initial smart grid standards 
identified as a part of the NIST efforts, finding that there was not sufficient con- 
sensus to do so. EISA does not give FERC authority to adopt the standards in the 
absence of a determination by FERC that sufficient consensus has been achieved. 

As noted in our testimony statement, smart grid standards identified through the 
NIST-led process outlined under EISA are voluntary unless regulators use other au- 
thorities to indirectly compel utilities and manufacturers to follow them. In this re- 
gard, FERC’s authority over the rates, terms, and conditions of transmission and 
wholesale sales in interstate commerce and its responsibility for reliability stand- 
ards for the hulk-power system may be relevant. For instance, to the extent that 


'GAO, Cybersecurity: Challenges in Securing the Electricity Grid, GAO-12-926T (Washington, 
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2 Including: GAO-12-926T; Critical Infrastructure Protection: Cybersecurity Guidance Is Avail- 
able, but More Can Be Done to Promote Its Use, GAO- 12-92 (Washinfhon, D.C.: Dec. 9, 2011); 
Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key 
Challenges Remain to be Addressed, GAO-11-117 (Washington, D.C.: Jan. 12, 2011); Critical In- 
frastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Chal- 
lenges Remain, GAO-07-1036 (Washington, D.C.: Sept. 10, 2007); and Information Security: TVA 
Needs to Address Weaknesses in Control Systems and Networks, GAO-08-526 (Washington, 
D.C.: May 21, 2008). 

3 GAO-11-117. 

“EISA § 1305(d), Puh. L. No. 110-140, § 1305(d), 121 Stat. 1492, 1788 (Dec. 19, 2007). 
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smart grid interoperability and cybersecurity standards are deemed necessary by 
FERC to ensure the reliability of the bulk power system, these standards could be 
considered through reliability-based authority provided under the Federal Power 
Act.® Under this authority, the North American Electric Reliability Corporation 
(NERC) can develop standards to protect the reliability of the bulk power system, 
or be requested by FERC to do so. If approved, such standards would be considered 
mandatory and enforceable by both NERC and FERC. However, the FERC Chair- 
man has described limitations on FERC’s reliability jurisdiction in the context of se- 
curing smart grid systems.® 

Responses to Questions From Senator Murkowski 

Question 1. Many of the hearing witnesses noted that you simply cannot protect 
an entity from all potential cyber-attacks. Mr. Snitchler from the Ohio PUC cautions 
that while you can try to “gold-plate” or even “platinum-plate” a system, the critical 
infrastructure we’re trying to protect will become too expensive to run. Instead, he 
suggests we prioritize, using a risk-based approach. Please comment on the issue 
of cybersecurity costs and the suitability of using a risk-based approach. Do you 
agree with Mr. Snitchler that we should be protecting “diamonds like diamonds” 
and “apples like apples”? 

Answer. We have reported on the importance of using a risk-based approach for 
securing critical infrastructures, including control systems.'^ Risk management has 
received widespread support within and outside government as a tool that can help 
set priorities on how to protect critical infrastructures.® Security controls identified 
through a risk management process should be cost-effective and reduce risk to an 
acceptable level. In making decisions about risks associated with the electricity grid, 
other sectors’ reliance on electricity should be an important consideration.® Due to 
these interdependencies, the consequences of an attack on the electricity grid could 
cascade across many sectors, impacting our national economy and security and the 
health and well-being of citizens. 

In relation to the need for risk-based approaches, we testified that, in May 2012, 
the Department of Energy released the Electricity Subsector Cybersecurity Risk 
Management Process. The guideline is intended to ensure that cyhersecurity risks 
for the electric grid are addressed at the organization, mission or business process, 
and information-system levels. We have not evaluated this guide. 

Question 2. We hear a lot about the potential benefits from smart grid systems, 
including reduced rates and improved reliability. However, we’re starting to hear 
more about an unintended consequence from smart grid systems-namely that the 
smart grid’s reliance on IT systems and networks exposes the electric grid to 
cybersecurity vulnerabilities which could be exploited by attackers. In the 2007 en- 
ergy bill. Congress directed NIST to develop smart grid interoperability standards 
that FERC would later adopt. I understand that while NIST has developed these 
standards, FERC has not yet taken action because of a lack of consensus on the 
standards. 

The 2009 stimulus bill provided over $4 billion in smart grid funding before these 
NIST interoperability standards were even developed. In fact, the stimulus bill pro- 
vided $10 million in funding for NIST to perform the standard development work. 
What cyhersecurity protections were included in the smart grid assets purchased 
with stimulus money? Doesn’t it cost more to implement security after the network 
is already up and running? 


sSee §215 of the Federal Power Act, 16 U.S.C. § 824o. 

® Letters from the FERC Chairman to Chairman Inouye and Ranking Member Cochran and 
to Chairman Rogers and Ranking Member Dicks on actions taken in response to GAO-11-117 
(Feb. 14, 2012). 

"^See GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize 
Protective Measures at Ports and Other Critical Infrastructure, GAO-06-91 (Washington, D.C.: 
Dec. 15, 2005). 

®Risk is the probability that a particular threat-source will exercise (accidentally trigger or 
intentionally exploit) a particular information system vulnerability. Risk management is the 
process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. 

® Federal policy established 18 critical infrastructure sectors, including the energy sector, 
which has two subsectors for oil and gas and for electricity. Other sectors include: banking and 
finance; chemical; commercial facilities; communications; critical manufacturing; dams; defense 
industrial base; emergency services; food and agriculture; government facilities; health care and 
public health; information technology; national monuments and icons; nuclear reactors, mate- 
rials, and waste; postal and shipping; transportation systems; and water. 

i®U.S. Department of Energy, Electricity Subsector Cyhersecurity Risk Management Process, 
DOE/OE-0003 (Washington, D.C.: May 2012). 
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Answer. We have not conducted the work necessary to answer the question re- 
garding what cybersecurity protections were included in the smart grid assets pur- 
chased with stimulus money. However, with respect to the Smart Grid Investment 
Grant program that received additional funds under the American Recovery and Re- 
investment Act of 2009, the Department of Energy Inspector General found that 
three of the five cybersecurity plans (required to be submitted by grantees) that it 
reviewed were incomplete, and did not always sufficiently describe security controls 
and how they were implemented.^'^ While this finding cannot be projected across all 
such grants, it indicates a risk that grantors and grantees were not adequately con- 
sidering security prior to the issuance of grants. 

Generally, implementing information security features after the technology is op- 
erating is more difficult and more costly than is designing and developing the tech- 
nology with security in mind. 

Responses to Questions From Senator Barrasso 

Question 1. The President’s stimulus bill provided about $3.5 billion for the Smart 
Grid Investment Grant program. In January of this year, the Department of Ener- 
gy’s Inspector General issued a report about this program. The Inspector General 
stated that DOE “approved cyber security plans for Smart Grid projects even though 
some of the plans contained shortcomings.” The Inspector General also stated that 
DOE “was so focused on quickly disbursing [stimulus] funds that it had not ensured 
[its] personnel received adequate grants management training.” In the Department’s 
rush to deploy smart grid technology, has it compromised the security of our na- 
tion’s electric grid? 

Answer. We have not examined the cybersecurity aspects of the smart grid tech- 
nology deployed through DOE’s Smart Grid Investment Grant program and thus 
cannot comment on its impact to the security of the nation’s electric grid. 

Question 2. Would you please estimate how much it will cost to secure the smart 
grid systems that have been deployed as a result of stimulus funding? 

Answer. We have not conducted the work necessary to answer this question. 

Question 3. Who is likely to bear the costs identified in question 2? Will it be 
asset-owners? Will it be ratepayers? Will it be Federal taxpayers? 

Answer. As noted above, we have not conducted the work necessary to estimate 
how much it will cost to secure smart grid systems deployed as a result of stimulus 
funding. As noted in previous questions, some federal teixpayer money is being spent 
on smart grid systems under the Smart Grid Investment Grant Program. However, 
it is unlikely that federal taxpayers would be responsible for the costs associated 
with additional activities to secure these smart grid systems unless additional funds 
were designated by Congress for that purpose. 

In general, however, smart grid investments-like other electricity investments 
made by utilities-may be paid for in one of a number of ways. The costs of invest- 
ments in electricity systems may be passed on to ratepayers if they are approved 
by the relevant regulator according to that regulator’s standards for rate recovery. 
In cases where an investment is not approved by the relevant regulator, the owners 
of the asset may have to bear the cost of the investment. 
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"U.S. Department of Energy, Office of the Inspector General, Office of Audits and Inspec- 
tions, Audit Report: The Department’s Management of the Smart Grid Investment Grant Pro- 
gram, OAS-RA-12-04 (Washington, D.C.: January 20, 2012). 



